Search Tech Journey

Find topics, journeys and posts

back to blog
securityintermediate 15m2026-07-11

Security — AuthN/Z, TLS, OWASP, Secrets

A deep-dive on Security — part of a 36-topic evergreen learning series.

Why this session matters

Part of a 36-topic learning series on engineering, ML, and LLM systems. Each session is a 90-minute deep-dive on one topic — designed so anyone can pick it up cold. Every two topics are followed by a revision session with recall prompts and hands-on drills.

Session 30 · SYS track 🔐

Security is invisible when it works and career-ending when it doesn't. This session covers authentication (passwords, MFA, WebAuthn, OAuth 2.0 / OIDC, JWTs), authorization (RBAC, ABAC, policy engines), TLS 1.3 handshake, the OWASP Top 10 with real examples, secret management (Vault, KMS), and threat-modeling a system.

Pre-read (30 min before session)

Watch 1–2 of these before the deep-dive:

Then skim the OWASP Top 10 2021.

Deep-dive (90 min)

1. Authentication (25 min)

Password best practices (Argon2id, per-user salt). MFA (TOTP, WebAuthn/passkeys). OAuth 2.0 flows: Authorization Code + PKCE (SPAs, mobile), Client Credentials (service-to-service), Device Code (CLI). OIDC on top for identity (id_token). JWT structure (header/payload/signature), pitfalls (alg: none, algorithm confusion, weak keys). Session cookies vs bearer tokens (SameSite, Secure, HttpOnly).

2. Authorization (20 min)

RBAC (roles → permissions → resources). ABAC (policy over attributes). ReBAC (relationship-based, Google Zanzibar model). Policy engines (OPA, Cedar). Common bugs: BOLA / IDOR (missing object-level auth), broken function-level auth.

3. Transport & storage (20 min)

TLS 1.3 handshake (1-RTT, 0-RTT with replay caveats). Cipher suites and forward secrecy. Cert management (ACME, Let's Encrypt, cert-manager on K8s). At-rest encryption (AES-256-GCM). KMS/HSM. Envelope encryption pattern.

4. OWASP Top 10 + threat modeling (25 min)

Injection (parameterize!), broken access control, SSRF, deserialization, XXE, SQLi via string concat. Threat modeling with STRIDE. Reading a security scanner report (SAST/DAST/SCA). Secrets in code — pre-commit hooks + rotation.

Reading list

  • Web Application Hacker's Handbook — Stuttard & Pinto
  • Real-World Cryptography — David Wong
  • Threat Modeling — Adam Shostack

Hands-on drill

Write a tiny Flask app with a login form. Deliberately introduce (a) SQL injection, (b) IDOR (/order/<id> with no owner check), (c) missing CSRF token. Then fix all three. Bonus: run ZAP or Burp against it.

Post-session checklist

  • Can you explain OAuth 2.0 Authorization Code + PKCE flow in 60 seconds?
  • Can you explain the difference between RBAC and ABAC in 60 seconds?
  • Can you explain how TLS 1.3 achieves 1-RTT in 60 seconds?
  • Did you complete the hands-on drill above?
  • Did you write 3 flashcards for tomorrow's recall?
  • What's the one thing you'd want to revisit in the next revision session?

What's next

Session 31 continues the series. See the hub page for the full sequence and revision pattern.