Security and Privacy

Proving *who* a user is — by something they know (password), have (token, phone), or are (biometric).

Deciding *what* an authenticated user is allowed to do — the system of permissions, roles, and policies that protects resources.

The science of keeping information secret and verifying it has not been tampered with — built from math and careful engineering.

One-way, deliberately slow transformations of a password used so that a database breach doesn't reveal the originals.

Cryptography using a pair of mathematically linked keys — one you share, one you keep secret. The basis of TLS, signatures, and modern authentication.

A vulnerability where an attacker tricks the victim's browser into making a state-changing request to a site the victim is logged into.

A standard for delegated authorization — letting an app act on a user's behalf at another service without ever seeing the user's password.

A vulnerability where attacker-controlled input is concatenated into a SQL query, letting them rewrite it to read, modify, or destroy any data the app can access.

A structured way to think about who might attack a system, what they want, what they can do, and what defences make sense — done before bugs, not after.

A flaw in software or its configuration that an attacker can exploit to violate a system's security — plus the lifecycle of finding, disclosing, tracking, and patching it.

Cross-Site Scripting — a vulnerability where an attacker injects malicious JavaScript into a page that other users then run as if it came from the site.

A security model that trusts no network location by default — every request must be authenticated, authorized, and encrypted, whether it comes from outside the network or inside it.

A trusted organisation that issues digital certificates binding a public key to an identity — the root of trust that makes HTTPS and code signing trustworthy without pre-distributing keys.

A compact, self-contained token format that encodes claims as a signed JSON object — widely used for stateless authentication and authorisation between services.

Requiring two or more independent proofs of identity before granting access — so a stolen password alone cannot compromise an account.

A security mechanism that restricts a process to a minimal set of resources and capabilities — so that exploiting a vulnerability in a sandboxed process still cannot compromise the wider system.

Public-key cryptography using the algebraic structure of elliptic curves — providing the same security as RSA with dramatically shorter keys, making it the default for TLS, SSH, and digital signatures.

Using mathematical proof to guarantee that a system or program meets a specification — providing stronger assurance than testing by exhaustively verifying all possible behaviours.

A form of encryption that allows arbitrary computations to be performed on ciphertext — the results, when decrypted, match what you would get if you had computed on the plaintext directly.

Cryptographic algorithms designed to resist attacks from quantum computers — replacing RSA and ECC which are broken by Shor's algorithm, using hard problems like Learning With Errors that have no known quantum speedup.

An attack that extracts secrets not by breaking an algorithm mathematically but by observing physical or measurable side effects of its execution — timing, cache access patterns, power consumption, or electromagnetic emissions.