Security engineering principles revised part2(Test Prep1)

Why is whitelisting safer than blacklisting? (Fail-safe in code)

Unknown inputs are automatically denied.

Why should systems never “guess intent”?(Fail-safe in code)

Invalid input should be rejected clearly.

Fail-safe middleware: What must run before business logic?

Authentication and authorisation middleware.

Fail-safe middleware: What should happen if middleware throws an exception?

Access must be denied.

Why are bypass paths dangerous?

Conditions like if(skipAuth) create vulnerabilities.

Fail-Safe Infrastructure: What should the default encryption posture be?

Encryption enabled by default

What should happen to unencrypted writes?

They should be rejected.

Why must backups fail loudly?

Silent failure means there are effectively no backups.

API Gateway Deny-by-Default:What does this ACL mean?

All routes are denied unless explicitly allowed.

Why is deny-by-default safer?

Undefined routes cannot bypass security.

Operational Fail-Safes: What should happen if a security scanner fails?

Deployment should stop.

What must every fail-closed event produce?

1. Metrics

2. Logs

3. Alerts

Why are stack traces dangerous?(Trap: Soft 404s and Data Leaks)

They leak internal system details.

What information can verbose errors leak?

1. Database names

2. Server versions

3. Internal architecture

What is the correct fix for verbose errors?

Log detailed errors internally and return minimal client errors.

(Trap: Insecure Not Found Checks)What should an unauthorised user receive?

Identical responses regardless of whether data exists.

(Trap: Insecure Not Found Checks) Insecure order

1. Query DB

2. Check auth

Attackers can probe whether records exist

(Trap: Insecure Not Found Checks) correct secure order?

1. Check authorisation

2. Query database

(Trap: Overbroad Try/Catch) What should happen when authentication fails?

The request must stop immediately.

Is Zero Trust a product?

No — it is an architectural philosophy.

What does Zero Trust assume about networks?

The network is not a trust boundary.

What does Zero Trust require?

Every request must be authenticated and authorised.

What was the old perimeter model?

Inside = safe, outside = dangerous.

Why is the old perimeter model broken?

Attackers enter using phishing, supply chain attacks, and stolen credentials.

What does Zero Trust assume?

Breach is inevitable.

Who must have verifiable identities in Zero Trust?

1. Users

2. Workloads

What is continuous authentication?

Re-verifying identity during sensitive operations.

Why is login-only authentication insufficient?

Session age and network location cannot be trusted.

What factors influence context-aware access?

1. User identity

2. Device health

3. Workload

4. Time

5. Location

What is just-in-time access?

Permissions granted temporarily when needed.

What is risk-adaptive access?

Higher risk contexts require more verification.

What does mTLS provide?

Authenticated and encrypted service-to-service communication.

Why is application-layer access safer?

Access is limited to specific applications rather than entire networks.

What is micro-segmentation?

Limiting blast radius between services.

What is the problem with traditional VPNs?

VPN users often gain access to all servers.

What does an application access proxy do?

Grants access only to approved applications/APIs.

What is mutual TLS (mTLS)?

Both communicating services present certificates.

Why should source IPs not be trusted?

IPs can be spoofed or reused.

What do service meshes like Istio provide?

Transparent mTLS enforcement.

Why should raw bearer tokens not be forwarded internally?

Internal services should use scoped internal identities instead.

Why is PERMISSIVE mode dangerous in production?

It silently allows unencrypted traffic.

What three signals are checked in device-aware access?

1. User identity

2. Device compliance

3. Sign-in risk

What happens when sign-in risk is high?

Step-up authentication or denial occurs.

Why is “allow any service in namespace X” dangerous?

Namespace-wide trust recreates perimeter security.

What should be trusted instead of network location?

Cryptographic identities.

Why is mTLS alone insufficient?

Encryption without authorisation still allows lateral movement.

Why is Zero Trust not a one-time project?

Threats and systems evolve continuously.

What should organisations secure first in Zero Trust?

1. Admin access

2. Production system

3. Customer-data APIs

What does Least Privilege define?

Minimum allowed capability.

What does Fail-Safe Defaults handle?

Safe behaviour under uncertainty.

What does Zero Trust provide?

Explicit identity and context at every hop.

Why are logs and audit trails important?

They form the basis of digital forensics and incident response.