Security
Secrets, least privilege, HTTPS, zero trust, and secure delivery.
Why is secret management important in DevOps?
Secret management protects credentials, tokens, and keys from exposure.
What is the principle of least privilege?
It means granting only the minimum permissions required to perform a task.
What is a zero trust security model?
Zero trust assumes no user or system is trusted automatically, even inside the network.
Why is secret rotation important?
Secret rotation reduces the risk of long-lived credentials being exposed or abused.
What does DevSecOps mean?
DevSecOps means integrating security into development, operations, and delivery workflows.
Why is HTTPS important?
HTTPS encrypts data in transit and protects against interception.
What is the difference between authentication and authorization?
Authentication verifies identity, while authorization determines access rights.
What is attack surface?
Attack surface is the total number of points where a system can be attacked.
What is information security?
Information security protects systems and data from unauthorized access, misuse, or damage.
What is the CIA triad?
The CIA triad stands for confidentiality, integrity, and availability.
What is encryption at rest?
Encryption at rest protects stored data by encrypting it on disk or in storage.
What is encryption in transit?
Encryption in transit protects data while it moves between systems.
What is hashing?
Hashing transforms data into a fixed-size value used for integrity checking or password storage.
Why is salt used with password hashing?
Salt makes identical passwords produce different hashes and helps resist precomputed attacks.
What is MFA?
MFA stands for Multi-Factor Authentication and requires more than one verification factor.
What is a vulnerability?
A vulnerability is a weakness that could be exploited to compromise a system.
Why is patch management important?
Patch management reduces exposure to known vulnerabilities.
What does a secrets manager do?
A secrets manager securely stores and controls access to credentials and sensitive values.
What is the difference between an API key and a token?
An API key is usually a static credential, while a token is often temporary and tied to identity or session context.
What is a JWT?
A JWT is a JSON Web Token used to represent identity or authorization claims.
What is RBAC?
RBAC stands for Role-Based Access Control.
What is ABAC?
ABAC stands for Attribute-Based Access Control and makes decisions using attributes and policies.
Why is the principle of least privilege important?
It reduces blast radius by limiting access to only what is necessary.
What is secret rotation policy?
A secret rotation policy defines how often credentials should be changed and how that process is managed.
Why are IAM roles often preferred over long-lived IAM users in cloud environments?
Roles reduce the need for static credentials and improve security.
What does shift-left security mean?
Shift-left means addressing security earlier in the software lifecycle.
What is SAST?
SAST is Static Application Security Testing.
What is DAST?
DAST is Dynamic Application Security Testing.
What is Software Composition Analysis (SCA)?
SCA scans third-party dependencies for known vulnerabilities and license issues.
Why scan container images?
Container scanning helps detect vulnerable packages, secrets, and insecure image configurations.
Why scan Infrastructure as Code?
IaC scanning detects insecure cloud or infrastructure configurations before they are deployed.
How do you reduce attack surface?
Reduce attack surface by removing unnecessary services, limiting access, and minimizing exposed functionality.
What are good practices for security group or firewall rules?
Use least privilege, narrow source ranges, document intent, and avoid overly broad access.
Why is audit logging important?
Audit logs help track who did what and support investigations and compliance.
What is threat modeling?
Threat modeling is the process of identifying risks, attack paths, and mitigations in a system design.
What is blast radius in security?
Blast radius is the extent of damage possible if a system, credential, or component is compromised.
What is a KMS?
A KMS is a Key Management Service used to create and manage encryption keys.
What is the difference between compliance and security?
Compliance means meeting required standards, while security means actually reducing risk.