5 exercises — these acronym pairs look similar or belong to the same domain, but mean very different things. Confusing them in a technical interview or architecture review is a serious credibility issue.
Pairs covered in this set
REST vs SOAP — architectural style vs. protocol
TCP vs UDP — reliability vs. speed trade-off
SLO vs SLA vs SLI — target, contract, and metric
XSS vs CSRF — two different web attack vectors
IaaS vs PaaS vs SaaS — cloud service model layers
0 / 5 completed
1 / 5
An interviewer asks: "What is the key architectural difference between REST and SOAP?" Which answer is most accurate?
REST (Representational State Transfer) is an architectural style — a set of constraints, not a protocol. It uses standard HTTP verbs (GET, POST, PUT, DELETE), is stateless, and typically exchanges JSON. SOAP (Simple Object Access Protocol) is a protocol with strict requirements: XML messaging format, a WSDL (Web Services Description Language) contract, and formal error handling. REST is simpler and dominant in modern web APIs. SOAP is legacy but still common in enterprise and financial systems (banking, insurance). Key sound bytes: "REST is resource-based and uses HTTP natively; SOAP defines its own messaging layer on top of HTTP (or other transports)." REST ≠ API type: REST describes how the API is structured, not what it does.
2 / 5
A senior engineer explains: "For our live video streaming feature, we chose UDP over TCP. The slight packet loss is acceptable — what matters most is low latency." Which statement correctly explains the difference between TCP and UDP?
TCP (Transmission Control Protocol) establishes a connection, guarantees that all packets arrive, retransmits lost packets, and ensures correct ordering. This reliability comes at a cost: latency from acknowledgements and retransmits. UDP (User Datagram Protocol) sends packets without guaranteeing delivery or order — there are no acknowledgements or retransmits. This makes it faster and more suitable when some data loss is tolerable: live video, VoIP, gaming, DNS lookups. Key distinction: TCP is reliability-first; UDP is speed-first. Neither is "more secure" by design — security is handled by TLS on top of either. Common usage: HTTP/HTTPS runs over TCP; DNS primarily uses UDP; video conferencing (Zoom, WebRTC) uses UDP.
3 / 5
A site reliability engineer does a reliability review. The team needs to distinguish between SLO, SLA, and SLI during the meeting. Which statement correctly describes the relationship between all three?
The three terms form a hierarchy: SLI (Service Level Indicator) = the actual metric you measure (e.g., request success rate, p99 latency, uptime percentage). SLO (Service Level Objective) = your internal target for that metric (e.g., "99.9% of requests succeed within 200ms"). SLOs are set by the engineering team and are the target to operate against. SLA (Service Level Agreement) = the external contract with customers, typically less strict than the SLO to provide a buffer. If the SLA is 99.9%, the SLO might be 99.95% internally. Breaking the SLA has contractual consequences (refunds, penalties); missing the SLO is an internal engineering concern. The system: SLI feeds into SLO → SLO informs SLA. Learn these as a set — they frequently appear together in reliability, DevOps, and cloud architecture discussions.
4 / 5
A security engineer says: "This login form is vulnerable to both XSS and CSRF attacks — both need to be addressed before launch." What is the correct distinction between XSS and CSRF?
Both are OWASP Top 10 web vulnerabilities, but they work differently. XSS (Cross-Site Scripting): an attacker injects malicious JavaScript into a web page. When other users load the page, the script executes in their browser — stealing session tokens, credentials, or personal data. Prevention: output encoding, Content Security Policy (CSP). CSRF (Cross-Site Request Forgery): an attacker creates a malicious page that, when visited by a logged-in user, causes their browser to send an authenticated request to another site — for example, silently transferring money or changing account settings. The attack exploits the browser's automatic cookie handling. Prevention: CSRF tokens, SameSite cookie attribute. Key difference: XSS makes your site attack your users; CSRF makes your users' browsers attack your site (or another site). Both require separate defences.
5 / 5
A cloud architect presents three deployment models: "We're evaluating IaaS, PaaS, and SaaS for different components of the new platform." Which option correctly defines all three?
These three form the classic cloud service model stack, often visualised as layers: IaaS (Infrastructure as a Service) gives you raw compute, storage, and networking — you manage the OS, runtime, application, and data (e.g., AWS EC2, Azure VMs, GCP Compute Engine). PaaS (Platform as a Service) adds a managed layer: the provider handles OS, runtime, scaling, and infrastructure — you manage the application code and data (e.g., Heroku, Google App Engine, AWS Elastic Beanstalk). SaaS (Software as a Service) delivers complete applications — you manage nothing infrastructure-related, only your user data and configuration (e.g., Gmail, Salesforce, GitHub, Slack). A useful memory aid: IaaS = you manage most, PaaS = provider manages the platform, SaaS = provider manages everything. There is also FaaS (Function as a Service / serverless) sitting between PaaS and SaaS.