Security Fundamentals

Key Acronyms & Terminology

Fig. 1 — Essential Security Abbreviations

Common Threat Landscape

The most prevalent attack vectors targeting organizations today. Understanding these threats is the first step in building effective defenses.

CVSS Severity Ratings at a Glance

The Common Vulnerability Scoring System assigns a 0–10 score to every CVE. Use these thresholds to prioritize remediation:

The Three Pillars

Every security control, policy, and architectural decision maps back to one or more of these three properties. Compromise any one, and the system fails. A well-designed security posture balances all three—and recognizes the tension between them.

Defense in Depth

No single security control is foolproof. Defense in depth layers multiple, independent controls so that if one fails, others still protect the asset. Think of it as a medieval castle: the moat, the outer wall, the inner wall, the keep, and the armored guards each serve a different purpose.

Principle of Least Privilege

Every user, process, and service should operate with the minimum set of permissions required to perform its function—and nothing more. Overly broad permissions are the #1 misconfiguration in cloud environments and the most common vector for lateral movement after initial compromise.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3ReadSpecificBucket",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::reports-2026",
        "arn:aws:s3:::reports-2026/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}

Zero Trust Architecture

Zero Trust is not a product you can buy. It is an architecture and a philosophy: never trust, always verify. Traditional perimeter-based security assumed that everything inside the corporate network was trustworthy. ZTA assumes breach and requires continuous verification of every user, device, and network flow—regardless of location.

Core tenets of Zero Trust (per NIST SP 800-207):

Password Security: Hashing Algorithms

Passwords must never be stored in plaintext. They must be hashed with a purpose-built, slow, memory-hard algorithm. Fast hashes like MD5 and SHA-1 can be brute-forced at billions of guesses per second on modern GPUs. The goal is to make each guess computationally expensive.

Fig. 2 — Hashing Algorithm Comparison

# OWASP recommended minimum parameters (2025):
# - Memory: 19 MiB (19456 KiB)
# - Iterations: 2
# - Parallelism: 1

# Python (using argon2-cffi)
from argon2 import PasswordHasher
ph = PasswordHasher(
    time_cost=2,        # iterations
    memory_cost=19456,  # 19 MiB in KiB
    parallelism=1,
    hash_len=32,
    salt_len=16
)

hash = ph.hash("user_password")
# $argon2id$v=19$m=19456,t=2,p=1$...

# Verify:
ph.verify(hash, "user_password")  # returns True
ph.verify(hash, "wrong_password") # raises VerifyMismatchError

Multi-Factor Authentication (MFA)

MFA requires two or more independent factors from different categories: something you know (password), something you have (device, key), or something you are (biometric). Enabling MFA blocks over 99% of account compromise attacks.

OAuth 2.0 Flows

OAuth 2.0 is a delegation protocol: it lets a user grant a third-party application scoped access to their resources without sharing their password. It does not handle authentication (that is OpenID Connect's job). Two flows dominate modern usage:

OpenID Connect vs. SAML 2.0

Both protocols solve federated authentication (SSO), but they differ significantly in age, format, and use case. OpenID Connect (OIDC) is the modern choice for most greenfield applications; SAML remains dominant in enterprise environments.

Fig. 4 — OIDC vs. SAML Comparison

JWT Structure & Security Pitfalls

JSON Web Tokens (RFC 7519) are the standard bearer token format in OAuth 2.0 and OIDC. A JWT is three Base64URL-encoded segments separated by dots: header.payload.signature.

# HEADER (algorithm + type)
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "2026-02-key-1"
}

# PAYLOAD (claims)
{
  "iss": "https://auth.example.com",
  "sub": "user-8a3f-4b12",
  "aud": "https://api.example.com",
  "exp": 1739404800,
  "iat": 1739401200,
  "scope": "read:reports write:comments",
  "email": "alice@example.com",
  "roles": ["analyst", "viewer"]
}

# SIGNATURE
RSASHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  privateKey
)

Critical security pitfalls:

import jwt from 'jsonwebtoken';
import jwksClient from 'jwks-rsa';

const client = jwksClient({
  jwksUri: 'https://auth.example.com/.well-known/jwks.json',
  cache: true,
  rateLimit: true,
});

function getKey(header, callback) {
  client.getSigningKey(header.kid, (err, key) => {
    callback(err, key?.getPublicKey());
  });
}

// SECURE: explicit algorithm, full claim validation
jwt.verify(token, getKey, {
  algorithms: ['RS256'],       // NEVER allow 'none' or 'HS256' here
  issuer: 'https://auth.example.com',
  audience: 'https://api.example.com',
  clockTolerance: 30,          // 30s leeway for clock skew
  maxAge: '15m',               // reject tokens older than 15 minutes
}, (err, decoded) => {
  if (err) throw new AuthenticationError(err.message);
  // decoded.sub, decoded.roles, decoded.scope now trusted
});

Session Management Best Practices

Even with JWTs for API authentication, most web applications still use server-side sessions for state management. The session cookie is the key to the kingdom—protect it accordingly.

app.use(session({
  name: '__Host-sid',         // __Host- prefix enforces Secure + no Domain
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: {
    httpOnly: true,           // No JS access
    secure: true,             // HTTPS only
    sameSite: 'lax',          // CSRF protection
    maxAge: 30 * 60 * 1000,   // 30 minutes
    path: '/',                // Required for __Host- prefix
  },
  store: new RedisStore({     // Server-side storage (not in-memory)
    client: redisClient,
    prefix: 'sess:',
    ttl: 1800,                // 30 min TTL in Redis
  }),
}));

Additional session hardening:

• Regenerate session ID after login, privilege escalation, or any sensitive state change to prevent session fixation attacks
• Bind sessions to IP/user-agent as a secondary signal (not a primary control, since legitimate users change networks)
• Implement server-side logout that destroys the session in the backing store, not just clears the cookie
• Track active sessions per user and allow users to view and revoke them ("Active Sessions" in account settings)
• Rate-limit session creation to prevent session flooding attacks against your backing store

Symmetric vs. Asymmetric Encryption

Cryptography divides into two fundamental paradigms. Symmetric encryption uses a single shared secret for both encryption and decryption—fast, efficient, and ideal for bulk data. Asymmetric encryption uses a mathematically linked key pair: a public key anyone can hold and a private key only the owner possesses. Most real-world systems combine both: asymmetric crypto to exchange a symmetric key, then symmetric crypto for the actual data.

Algorithm Reference Table

Fig. 5 — Cryptographic Algorithm Status and Recommendations

Hashing: SHA-256 vs. SHA-3

Cryptographic hash functions produce a fixed-size digest from arbitrary input. They are one-way (irreversible), collision-resistant, and avalanche-sensitive (a single-bit change in input produces a completely different output). Two families dominate modern use:

TLS 1.3 Handshake

Transport Layer Security 1.3 (RFC 8446, 2018) represents a major overhaul of the TLS protocol. It removes insecure legacy algorithms, reduces handshake latency from 2-RTT to 1-RTT, and encrypts more of the handshake itself. TLS 1.3 is now the minimum acceptable version for production systems.

X.509 Certificates & Certificate Chains

TLS relies on X.509 certificates to prove server (and optionally client) identity. Certificates form a chain of trust from the server certificate up to a trusted root Certificate Authority (CA) pre-installed in browsers and operating systems.

Browsers verify the chain by checking each certificate's signature against its issuer's public key, walking up to a trusted root. If any link is invalid, expired, or revoked, the chain fails and the connection is rejected.

Key Management Best Practices

The most secure algorithm in the world is worthless if the keys are mismanaged. Key management is widely considered the hardest problem in applied cryptography—and the most common source of real-world failures.

OpenSSL Quick Reference

Essential OpenSSL commands for generating keys, creating certificate signing requests, and inspecting certificates.

# Generate an Ed25519 private key (modern, recommended)
openssl genpkey -algorithm Ed25519 -out private.pem

# Generate an EC P-256 private key
openssl ecparam -genkey -name prime256v1 -noout -out ec-private.pem

# Generate an RSA-4096 private key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out rsa-private.pem

# Extract public key from private key
openssl pkey -in private.pem -pubout -out public.pem

# Create a Certificate Signing Request (CSR)
openssl req -new -key private.pem -out request.csr \
  -subj "/CN=api.example.com/O=Example Corp/C=US"

# Self-signed certificate (for development only)
openssl req -x509 -key private.pem -out cert.pem -days 365 \
  -subj "/CN=localhost"

# View certificate details
openssl x509 -in cert.pem -text -noout

# Verify a certificate chain
openssl verify -CAfile ca-bundle.pem -untrusted intermediate.pem server.pem

# Check a remote server's TLS certificate
openssl s_client -connect example.com:443 -servername example.com

# Generate a random 256-bit key (hex encoded)
openssl rand -hex 32

# Compute SHA-256 digest of a file
openssl dgst -sha256 file.bin

Firewall Types

Firewalls are the most fundamental network security control. They filter traffic based on rules, ranging from simple packet-level checks to deep application-layer inspection. Modern networks deploy multiple firewall types at different layers for defense in depth.

Fig. 8 — Firewall Classification and Use Cases

VPN Protocols

Virtual Private Networks create encrypted tunnels between endpoints, protecting data in transit over untrusted networks. Modern VPN design favors simplicity, speed, and minimal attack surface.

Fig. 9 — VPN Protocol Comparison

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server-private-key>

# Enable IP forwarding
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; \
         iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; \
           iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client: alice-laptop
PublicKey = <alice-public-key>
AllowedIPs = 10.0.0.2/32
PresharedKey = <optional-psk-for-post-quantum-resistance>

IDS vs. IPS: Detection vs. Prevention

Intrusion Detection Systems (IDS) monitor and alert. Intrusion Prevention Systems (IPS) monitor, alert, and block. Both analyze network traffic against signatures, behavioral baselines, or protocol anomalies.

# Alert on SQL injection attempt in HTTP request
alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"ET WEB_SERVER SQL Injection Attempt - SELECT FROM";
  flow:established,to_server;
  http.uri;
  content:"SELECT";  nocase;
  content:"FROM";    nocase;  distance:0;
  pcre:"/SELECT\s+.*\s+FROM\s+/Ui";
  classtype:web-application-attack;
  sid:2100001;  rev:3;
)

DNS Security

DNS is one of the oldest and most exploited internet protocols. Without protection, DNS queries are sent in plaintext, vulnerable to spoofing, cache poisoning, and surveillance. Modern DNS security adds authentication, encryption, and integrity checking.

Fig. 10 — DNS Security Protocols Comparison

Network Segmentation & Microsegmentation

Network segmentation divides a network into isolated zones, limiting the blast radius of a breach. Microsegmentation takes this further by enforcing policies at the individual workload or container level, creating a "zero trust" network fabric.

Zero Trust Networking

Zero Trust Networking applies the ZTA principles from Section 02 specifically to network architecture. The network itself is never a trust boundary. Every packet, every flow, every session must be authenticated, authorized, and encrypted—regardless of whether it originates from inside or outside the corporate perimeter.

Network Security Scanning & Diagnostics

Essential command-line tools for network reconnaissance, packet analysis, and security assessment.

OWASP Top 10 (2021)

The Open Worldwide Application Security Project publishes its Top 10 list of critical web application security risks, updated periodically based on real-world vulnerability data from hundreds of organizations. The 2021 edition—still the current reference as of early 2026—reflects a shift toward access control failures and insecure design patterns. Every development team should know these by heart.

Fig. 11 — OWASP Top 10 Web Application Security Risks (2021)

Deep Dive: A01 — Broken Access Control

Broken Access Control moved from #5 (2017) to #1 (2021) because it was found in 94% of applications tested. It encompasses any flaw where users can act outside their intended permissions—from viewing another user's data to modifying admin settings.

# Attacker changes user_id in URL:
GET /api/users/1001/profile   # own profile
GET /api/users/1002/profile   # another user!
GET /api/users/1/profile      # admin account!

# Server blindly returns whatever ID
# is requested without checking ownership

Deep Dive: A03 — Injection

Injection flaws occur when untrusted input is sent to an interpreter (SQL engine, OS shell, LDAP directory) as part of a command or query. The attacker's data is executed rather than treated as data. SQL injection remains the most prevalent and destructive form.

# DANGEROUS: User input directly
# concatenated into SQL query
username = request.form['username']
password = request.form['password']

query = f"""
  SELECT * FROM users
  WHERE username = '{username}'
  AND password = '{password}'
"""
cursor.execute(query)

# Attacker input:
# username: admin' --
# password: (anything)
#
# Resulting query:
# SELECT * FROM users
# WHERE username = 'admin' --'
# AND password = '...'
#
# The -- comments out the password
# check, granting admin access

# SAFE: Parameterized query
# separates code from data
username = request.form['username']
password = request.form['password']

query = """
  SELECT * FROM users
  WHERE username = %s
  AND password_hash = %s
"""
cursor.execute(query, (
    username,
    hash_password(password)
))

# The database driver treats
# parameters as DATA, never as
# SQL code. Injection is
# structurally impossible.
#
# Also note: comparing
# password_hash, not plaintext
# passwords!

Deep Dive: Cross-Site Scripting (XSS)

XSS attacks inject malicious client-side scripts into web pages viewed by other users. The attacker's JavaScript runs in the victim's browser with full access to the page's DOM, cookies (if not HttpOnly), and the user's authenticated session.

Context-Aware Output Encoding:

The key defense against XSS is encoding output for the specific context where user data is rendered. Different contexts require different encoding strategies:

Fig. 12 — Output Encoding by Context

Secure HTTP Headers

Security headers instruct the browser to enable built-in protections against common attacks. Deploying the right headers is one of the highest-impact, lowest-effort security improvements for any web application.

Fig. 13 — Essential Security Response Headers

# /etc/nginx/conf.d/security-headers.conf
# Include in every server block: include conf.d/security-headers.conf;

# HTTPS enforcement (2 years + subdomains + preload)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Prevent XSS via Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;

# Prevent MIME-type sniffing
add_header X-Content-Type-Options "nosniff" always;

# Prevent clickjacking
add_header X-Frame-Options "DENY" always;

# Control referrer information
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Disable unused browser features
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

# Remove server version disclosure
server_tokens off;
more_clear_headers Server;

CSRF Prevention

Cross-Site Request Forgery tricks a user's browser into submitting unintended requests to a site where they're authenticated. The browser automatically attaches cookies, so the target server sees a legitimate-looking request from an authenticated user.

Input Validation Principles

Input validation is the first line of defense but it is not a complete defense. Validation ensures data conforms to expected formats and constraints before processing. It reduces attack surface and catches obvious malformed input, but it cannot replace output encoding, parameterized queries, or other context-specific defenses. Think of validation as the bouncer at the door—necessary, but not a substitute for security cameras inside.

IAM Best Practices

Identity and Access Management is the cornerstone of cloud security. Every cloud breach investigation starts with the same question: who had access, and why? Misconfigured IAM policies are the most common root cause of cloud data breaches, and the most preventable. These five principles form the foundation of a sound IAM posture.

Fig. 14 — IAM Best Practices

Secrets Management

Secrets—API keys, database passwords, TLS certificates, signing keys—are the most sensitive data in any system. Hardcoding them in source code or environment variables is the most common and most dangerous anti-pattern in software engineering. A dedicated secrets management platform provides encryption at rest, access control, audit logging, and automated rotation.

Fig. 15 — Secrets Management Platforms Comparison

# Enable a secrets engine
vault secrets enable -path=secret kv-v2

# Store a secret
vault kv put secret/myapp/database \
    username="app_user" \
    password="$(openssl rand -base64 32)" \
    host="db.internal:5432"

# Retrieve a secret
vault kv get secret/myapp/database

# Retrieve only the password field
vault kv get -field=password secret/myapp/database

# Enable dynamic database credentials
vault secrets enable database
vault write database/config/mydb \
    plugin_name=postgresql-database-plugin \
    connection_url="postgresql://{{username}}:{{password}}@db:5432/mydb" \
    allowed_roles="readonly" \
    username="vault_admin" \
    password="admin_password"

# Create a role that generates short-lived credentials
vault write database/roles/readonly \
    db_name=mydb \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"

# Get dynamic credentials (auto-expires!)
vault read database/creds/readonly
# Key             Value
# lease_id        database/creds/readonly/abc123
# lease_duration  1h
# username        v-token-readonly-abc123
# password        A1b2-C3d4-E5f6-G7h8

Container Security

Containers introduce a unique security surface. The shared kernel model means a container escape compromises the host. The immutable, layered image model means vulnerabilities can be baked into images and propagated across thousands of deployments. Securing containers requires attention at every stage: build, ship, and run.

Image Scanning Tools:

Fig. 16 — Container Image Scanning Tools Comparison

Rootless Containers:

Kubernetes Security Controls:

# STAGE 1: Build (larger image, build tools)
FROM golang:1.22-alpine AS builder

# Don't run builds as root
RUN adduser -D -g '' appuser
WORKDIR /build

# Cache dependencies separately from source
COPY go.mod go.sum ./
RUN go mod download && go mod verify

# Copy source and build a static binary
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags='-w -s -extldflags "-static"' \
    -o /app ./cmd/server

# STAGE 2: Runtime (minimal image)
FROM scratch

# Import CA certificates for HTTPS calls
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Import the non-root user from build stage
COPY --from=builder /etc/passwd /etc/passwd

# Copy only the compiled binary
COPY --from=builder /app /app

# Run as non-root user
USER appuser

# Expose only the port you need
EXPOSE 8080

# Use exec form (no shell = smaller attack surface)
ENTRYPOINT ["/app"]

# Key security principles:
# 1. Multi-stage build: build tools don't ship to production
# 2. Minimal base: 'scratch' has zero OS packages (no shell, no curl)
# 3. Non-root user: container compromise ≠ root access
# 4. Static binary: no dynamic linking = no shared library attacks
# 5. Pinned versions: 'golang:1.22-alpine' not 'golang:latest'
# 6. Exec form ENTRYPOINT: no shell injection via CMD overrides

Supply Chain Security

Modern software is 80-90% open-source dependencies. An attacker who compromises a single popular library—or the build system that compiles it—can reach millions of downstream targets. Supply chain security ensures the integrity of every component, from source code to deployed artifact.

Fig. 17 — SLSA Framework Levels

Dependency Scanning Tools:

CIS Benchmarks

The Center for Internet Security (CIS) publishes consensus-based configuration benchmarks for operating systems, cloud platforms, databases, and container orchestrators. These are the industry standard for hardening baselines and are referenced by NIST, FedRAMP, PCI-DSS, and HIPAA.

Fig. 18 — Key CIS Benchmarks

Infrastructure as Code Security

Infrastructure as Code (IaC) brings software engineering practices to infrastructure: version control, code review, automated testing. But it also brings software vulnerabilities. A misconfigured Terraform module can provision a publicly accessible S3 bucket or an overly permissive security group in seconds, at scale. IaC security tools catch these misconfigurations before they reach production.

# tfsec: Static analysis for Terraform
# Detects security issues in Terraform code
tfsec .
tfsec --format=json --out=results.json .
tfsec --minimum-severity=HIGH .

# Checkov: Policy-as-code for IaC
# Supports Terraform, CloudFormation, K8s manifests, Dockerfiles
checkov -d .                          # Scan current directory
checkov -f main.tf                    # Scan specific file
checkov --framework terraform --check CKV_AWS_18  # Check specific rule
checkov --skip-check CKV_AWS_999     # Skip a check with justification

# OPA (Open Policy Agent) with Rego
# Write custom policies for any structured data
# Example: deny S3 buckets without encryption
opa eval --input terraform.json \
    --data policies/ \
    'data.terraform.deny'

# Rego policy example (policies/s3.rego):
# package terraform
# deny[msg] {
#     resource := input.resource.aws_s3_bucket[name]
#     not resource.server_side_encryption_configuration
#     msg := sprintf("S3 bucket '%s' lacks encryption", [name])
# }

# Terrascan: Detect compliance violations
terrascan scan -t aws -i terraform
terrascan scan -t k8s -i k8s         # Kubernetes manifests

# KICS (Keeping Infrastructure as Code Secure)
kics scan -p .                        # Scan all supported IaC
kics scan -p . --type Terraform --severity high,critical

SIEM Platforms

Security Information and Event Management (SIEM) platforms aggregate logs from across the enterprise, correlate events, and surface threats that individual log sources would miss. A SIEM is the nervous system of a Security Operations Center (SOC). Choosing the right platform depends on deployment model, team expertise, and budget.

Fig. 19 — SIEM Platform Comparison

Centralized Logging Architecture

A robust logging pipeline separates collection, transport, processing, and storage into distinct stages. This decoupling allows each stage to scale independently and prevents log loss during traffic spikes or downstream outages.

MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary behavior based on real-world observations. It provides a common language for describing what attackers do after gaining initial access. Security teams use it to map detection coverage, identify gaps, and prioritize investments.

Fig. 21 — MITRE ATT&CK Enterprise Tactics

Threat Detection Tools

Modern threat detection has evolved beyond signature-based antivirus into a layered ecosystem of endpoint, network, and behavioral analytics platforms. Each tool class addresses a different slice of the attack surface.

Fig. 22 — Threat Detection Platform Categories

Incident Response Phases

NIST SP 800-61 Rev. 2 defines the authoritative framework for computer security incident handling. Every organization must have a tested, documented incident response plan before a breach occurs. The four phases are cyclical—lessons from post-incident activity feed back into improved preparation.

IR Playbook Structure

A playbook is a documented, repeatable procedure for handling a specific incident type (ransomware, phishing, data breach, DDoS). Good playbooks eliminate decision paralysis during a crisis and ensure consistent, auditable response. Every organization needs playbooks for its top 5-10 most likely incident scenarios.

Fig. 24 — IR Playbook Components

Security Monitoring Tools

The essential open-source and freely available tools for security monitoring, auditing, and threat detection on Linux systems. These form the foundation of host-based security monitoring and complement network-level SIEM platforms.

Digital Forensics Basics

Digital forensics is the scientific process of collecting, preserving, analyzing, and presenting digital evidence. Whether investigating a breach, supporting litigation, or conducting an internal review, forensic rigor ensures evidence is admissible and conclusions are defensible.

NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework (CSF) is the most widely adopted cybersecurity framework in the world. Version 2.0, released in February 2024, adds Govern as a sixth core function, reflecting the growing recognition that cybersecurity is a board-level governance issue, not just a technical concern. The framework is voluntary but increasingly referenced in regulations and contracts.

Fig. 25 — NIST CSF 2.0 Core Functions

NIST SP 800-53 Rev. 5

NIST SP 800-53 is the comprehensive catalog of security and privacy controls used by federal agencies (required by FISMA) and increasingly adopted by the private sector. Revision 5 includes over 1,000 controls organized into 20 families. It is the foundation for FedRAMP, CMMC, and many state-level cybersecurity requirements.

Fig. 26 — Key NIST SP 800-53 Rev. 5 Control Families

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Any cloud service provider (CSP) selling to the US federal government must achieve FedRAMP authorization.

Fig. 27 — FedRAMP Authorization Levels

Authorization Paths:

FISMA

The Federal Information Security Modernization Act (FISMA, 2014, updating the original 2002 act) requires every federal agency to implement an information security program. FISMA mandates the use of NIST standards (SP 800-53, SP 800-37 Risk Management Framework) and requires continuous monitoring of federal information systems. Agencies must report their cybersecurity posture to OMB and Congress annually.

SOC 2

SOC 2 (System and Organization Controls 2) is an audit framework developed by the AICPA for service organizations. It evaluates controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance is the de facto standard for SaaS companies and cloud service providers serving enterprise customers.

Fig. 28 — SOC 2 Trust Service Criteria

Type I vs. Type II:

ISO 27001:2022

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It takes a risk-based approach: organizations must identify their information security risks, select appropriate controls, and operate a management system to ensure those controls remain effective. Certification is granted by accredited third-party auditors and typically renewed on a 3-year cycle with annual surveillance audits.

CIS Controls v8

The CIS Critical Security Controls are a prioritized set of 18 actions that organizations should take to defend against the most common cyber attacks. Unlike frameworks that describe what to protect, CIS Controls prescribe how to protect it, in priority order. Implementation Groups (IGs) make the controls accessible to organizations of any size and maturity.

Fig. 29 — CIS Controls v8 Implementation Groups

CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for ensuring contractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC 2.0 simplified the original 5-level model to 3 levels and aligned controls directly with NIST SP 800-171 and SP 800-172. Enforcement began rolling into DoD contracts in 2025.

Fig. 30 — CMMC 2.0 Maturity Levels

Zero Trust Architecture Standards

Zero Trust is referenced throughout modern compliance frameworks. NIST SP 800-207 defines the architectural model, and Executive Order 14028 (May 2021) mandated federal agencies to adopt Zero Trust principles. The CISA Zero Trust Maturity Model provides a phased adoption roadmap.

Threat Modeling Methodologies

Threat modeling is a structured approach to identifying, quantifying, and addressing security risks in a system. Perform it during design, not after deployment. The right methodology depends on your context — some focus on technical threats, others on privacy, and some decompose attack goals visually.

Security Champions Program

A Security Champion is a developer or engineer who voluntarily acts as a security advocate within their team. They are not full-time security professionals — they are embedded practitioners who bridge the gap between development and security teams, scaling security knowledge across the organization.

DevSecOps — Shift-Left Security

DevSecOps integrates security checks at every stage of the CI/CD pipeline, rather than bolting them on before release. The goal: find vulnerabilities as early as possible, when they are cheapest to fix.

DevSecOps Pipeline Integration

Vulnerability Management Lifecycle

Vulnerability management is a continuous cycle, not a one-time scan. Mature programs combine automated discovery with risk-based prioritization to focus remediation effort where it matters most.

Vulnerability Management Lifecycle

Penetration Testing Types

Penetration testing simulates real-world attacks against your systems to identify exploitable vulnerabilities. The type you choose affects scope, depth, cost, and what you learn.

Security Certifications

Industry certifications validate security knowledge and are often required for security roles. The right certification depends on your career stage and specialization.

Typical Certification Path

Staying Current — Essential Resources

Security evolves daily. These resources help practitioners stay ahead of emerging threats, new vulnerabilities, and evolving best practices.