System Security: Authentication, Authorization, and Common Vulnerabilities
Learn essential security concepts including authentication methods, authorization patterns, common vulnerabilities (OWASP Top 10), and secure system design.
Security as a Design Constraint
Security isn't an afterthought — it must be baked into the architecture from the start. A breach can destroy user trust and incur massive costs.
Defense in depth: Never rely on a single security measure. Layer your defenses so that if one fails, others protect you.
Authentication vs Authorization
Authentication (Who are you?)
Verifying user identity.
Authorization (What can you do?)
Verifying permissions.
Authentication Methods
Password-Based Authentication
Password hashing uses PBKDF2 with a random salt and 100,000 iterations. The salt prevents rainbow table attacks, and the high iteration count makes brute-force attacks computationally expensive. The verify_password function extracts the salt from the stored hash and compares it with a freshly computed hash.
Never use MD5 or SHA-1 for passwords. They're too fast (vulnerable to brute force). Use bcrypt, scrypt, or Argon2 with appropriate work factors.
Multi-Factor Authentication (MFA)
Token-Based Authentication
JWT Structure
{
"header": {
"alg": "RS256",
"typ": "JWT"
},
"payload": {
"sub": "user123",
"role": "admin",
"exp": 1704067200,
"iat": 1704063600
},
"signature": "..."
}
Authorization Patterns
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
{
"condition": {
"resource": "document-123",
"action": "read",
"subject": {
"department": "engineering",
"clearance": "secret"
},
"environment": {
"time": "2024-01-15T09:00:00Z"
}
}
}
OAuth 2.0 Flow
OWASP Top 10 Vulnerabilities
1. Broken Access Control
Broken access control allows users to access resources they shouldn't. The vulnerable version directly queries by order_id without verifying ownership. The fixed version adds AND user_id = ? to ensure users can only access their own orders.
2. Cryptographic Failures
Weak encryption uses predictable keys (like Fernet.generate_key() which creates a random key but doesn't demonstrate the vulnerability). Strong encryption uses AESGCM with a cryptographically secure 256-bit key generated from os.urandom.
3. Injection
SQL injection exploits unsanitized input in queries. The vulnerable version concatenates the email directly into the SQL string, allowing attackers to inject malicious SQL. The fixed version uses parameterized queries where the email is passed separately, preventing injection attacks.
4. Insecure Design
| Threat | Mitigation |
|---|---|
| Credential stuffing | Rate limiting, MFA |
| Brute force | Account lockout, CAPTCHA |
| Excessive data exposure | Return only needed fields |
5. Security Misconfiguration
- Disable debug mode in production
- Use secure defaults
- Regular security updates
- Minimal attack surface (disable unused features)
6. Sensitive Data Exposure
Secure System Design
Secrets Management
Input Validation
Input validation using Pydantic validators ensures data integrity before processing. The email validator checks for the @ symbol and normalizes to lowercase. The age validator enforces business rules (0-150 range). This prevents invalid data from entering the system.
Rate Limiting
Rate limiting uses Redis to track request counts per user within a time window. The decorator increments a counter with an expiration. If the count exceeds the limit, it returns a 429 error. This prevents abuse and DoS attacks.
Security Checklist
| Category | Checklist Item |
|---|---|
| Authentication | Password hashing (bcrypt/Argon2) |
| Authentication | MFA for sensitive operations |
| Authorization | Principle of least privilege |
| Data | Encrypt sensitive data at rest |
| Data | Use TLS for data in transit |
| Input | Validate and sanitize all inputs |
| Dependencies | Regular dependency audits |
| Logging | Log security events, not sensitive data |
What to Remember for Interviews
- Never trust user input: Always validate and sanitize
- Hash passwords: Never store plain text, use bcrypt/Argon2
- Defense in depth: Layer your security controls
- Least privilege: Grant minimum necessary permissions
- OWASP Top 10: Know the common vulnerabilities and mitigations
Practice: Review the OWASP Top 10 and understand how each vulnerability works and how to prevent it. If asked about security in an interview, demonstrate practical knowledge, not just buzzwords.