ISF Logs
A flaw is a defect in the design; a bug is a defect in the implementation.
The distinction matters because the two are caught and fixed in very different ways:
Flaw
Bug
Where it lives
Architecture / design decision
Code / implementation detail
How it's found
Design revi...
Q What is the Same-Origin Policy (SOP) and what does an "origin" consist of?
The browser rule that a script loaded from origin A may not read data from origin B. An origin is the triple (scheme, host, port) — all three must match.
Without SOP, evilcom's JavaScript running in one tab could read your bank's cookies, DOM, and HTML5 storage in another tab. SO...
Q What are the three main cookie security attributes, and what does each do?
Secure (HTTPS-only), HttpOnly (no JavaScript access), SameSite (no cross-site sending).
Attribute
What it does
Attack it mitigates
Secure
Cookie is sent only on HTTPS requests
Network sniffing — without it the cookie leaks on any HTTP request, e.g. mistyped URL on Wi-Fi...
Q What are the defining parameters of AES (Advanced Encryption Standard)?
A symmetric block cipher with a 128-bit block size and a 128, 192, or 256-bit key, encrypting in multiple rounds. Longer key → more rounds → higher security.
Variant
Key size
Number of rounds
Brute-force complexity
AES-128
128 bits
10
2¹²⁸ (still infeasible for any foresee...
Q What are the three security properties a cryptographic hash function must satisfy?
Preimage resistance, second-preimage resistance, collision resistance — three increasingly strong properties.
Property
Informal
Formal
Preimage resistance
Given a hash, can't find any message that produces it
Given h, find m such that H(m) = h — should be infeasible
Seco...
Q What does AEAD (Authenticated Encryption with Associated Data) combine, and why is it now the defaul...
AEAD is one cipher operation that provides confidentiality (encryption), integrity (MAC), and authentication of unencrypted associated data — all under a single key, in one pass. AES-GCM and ChaCha20-Poly1305 are the modern defaults.
The two components of AEAD:
Encryption — keep...
Q What is the PDCA cycle, and why is it the heart of every modern management system?
PDCA = Plan → Do → Check → Act. It is the continuous feedback loop that every modern management system uses to drive continuous improvement (kontinuierlicher Verbesserungsprozess, KVP).
* PDCA as a closed feedback loop — Act feeds lessons back into Plan (KVP / continuous improve...
Q What does EN stand for, and which bodies produce European standards?
EN = Europäische Norm. Three sister bodies produce them: CEN (general), CENELEC (electrical engineering), and ETSI (telecoms).
* The EN fan-out: three sister bodies — CEN, CENELEC, ETSI — produce European Norms, which member states then ratify as DIN EN, SN EN, etc. *
The three...
Q What is the ISO, and what kinds of standards does it produce?
ISO = International Organization for Standardization — a Geneva-based association of 167 national standards bodies. It publishes technical, classification, and process standards.
Category
Example
Technical
MP3 audio compression (ISO/IEC 11172)
Classification
Two-letter c...
Q What are the six Functions of the NIST CSF v2.0?
Identify, Protect, Detect, Respond, Recover, and (new in v2.0) Govern.
* CSF v2.0 Functions as a wheel: Govern at the hub tying together Identify, Protect, Detect, Respond, Recover. *
Function
Purpose
Where in the incident lifecycle
Identify
Understand your asset inventor...