5 exercises — CVE, XSS, CSRF, GDPR, MFA, SSO, OWASP and the security vocabulary you'll encounter in every code review and audit.
Acronyms covered in this set
CVE / CVSS — vulnerability identifier and severity scoring
XSS / CSRF — two of the most common web attack types
GDPR / PII — European data protection regulation and personal data
MFA / SSO — authentication patterns every team uses
OWASP Top 10 — the standard security risk awareness list
0 / 5 completed
1 / 5
A security engineer files an advisory: "This CVE has a CVSS score of 9.1 — critical. Patch within 24 hours." What do CVE and CVSS stand for?
CVE = Common Vulnerabilities and Exposures. A publicly disclosed list of known security vulnerabilities, each with a unique identifier like CVE-2021-44228 (the Log4Shell vulnerability). Maintained by MITRE Corporation, funded by the US government. When a vulnerability is discovered and reported, it receives a CVE number that security teams, scanners, and advisories reference globally. CVSS = Common Vulnerability Scoring System. A standardized framework (0–10) for rating vulnerability severity. Score ranges: 0.0 = None, 0.1–3.9 = Low, 4.0–6.9 = Medium, 7.0–8.9 = High, 9.0–10.0 = Critical. CVSS considers: exploitability (how easy to attack), impact (confidentiality, integrity, availability), and scope. In practice: "This CVE is a 9.8 — priority patch immediately." Say: "C-V-E" and "C-V-S-S" (letter by letter).
2 / 5
A developer asks a security reviewer: "Is this input validation enough to prevent XSS and CSRF?" What are XSS and CSRF?
XSS = Cross-Site Scripting. An attack where malicious JavaScript is injected into a web page that other users view. Example: a comment form that stores user input unescaped — an attacker submits <script>stealCookies()</script> which runs in every visitor's browser. Prevention: escape all user output (HTML entities), use Content Security Policy (CSP). Note: despite the name, XSS is a code injection attack, not a "scripting" vulnerability — the name is historical. CSRF = Cross-Site Request Forgery. An attack where a malicious website tricks a logged-in user's browser into making requests to another site. Example: a fake site with a hidden form that submits a bank transfer — the bank site receives a request with the user's session cookie and processes it. Prevention: CSRF tokens (a unique secret per form/session), Same-Site cookie attribute, checking the Origin header. Both XSS and CSRF are in the OWASP Top 10. Say: "X-S-S" and "C-S-R-F" (letter by letter), or informally "cross-site scripting" and "csrf" (/ˈsiːzɹ̩f/ or "C-S-R-F").
3 / 5
A compliance manager asks: "Does your product meet GDPR requirements? We need a PII handling review before we launch in Europe." What are GDPR and PII?
GDPR = General Data Protection Regulation. A European Union law (effective May 2018) that governs how organizations collect, store, and process personal data of EU residents. Key GDPR rights: right to access your data, right to deletion ("right to be forgotten"), right to portability, requirement to report data breaches within 72 hours. Fines: up to €20 million or 4% of global annual revenue. It applies to any company worldwide that processes EU residents' data. PII = Personally Identifiable Information. Any data that can identify an individual: name, email, IP address, phone number, SSN, biometrics, location data. Under GDPR (and similar laws like CCPA in California), PII requires special handling: explicit consent, purpose limitation, data minimization, security. In engineering conversations: "Does this service log any PII?" "Are PII fields encrypted at rest?" Say: "G-D-P-R" and "P-I-I" (letter by letter).
4 / 5
A security architect recommends: "Replace password-only login with MFA — and consider replacing passwords entirely with SSO via your identity provider." What are MFA and SSO?
MFA = Multi-Factor Authentication (also called 2FA, Two-Factor Authentication, when using exactly two factors). Requires two or more forms of verification: something you know (password), something you have (TOTP app like Google Authenticator, hardware key), something you are (biometrics). MFA dramatically reduces account compromise risk even if a password is leaked. Common MFA methods: TOTP codes, SMS codes (weaker — susceptible to SIM swapping), hardware keys (YubiKey), push notifications (Duo). SSO = Single Sign-On. An authentication service that lets users log in once and access multiple applications without re-authenticating. Example: log in with Google → access Gmail, Drive, Docs, Meet without separate logins. Enterprise SSO: log in to Okta → access Jira, GitHub, AWS, Salesforce. Built on protocols like SAML (Security Assertion Markup Language) or OAuth 2.0 + OIDC. Say: "M-F-A" or "two-factor", "S-S-O" (letter by letter).
5 / 5
An application security engineer reviews code: "This SQL query concatenates user input directly — it's vulnerable to SQL injection, one of the OWASP Top 10." What is the OWASP Top 10?
OWASP = Open Web Application Security Project. A non-profit foundation that produces free resources for web application security. The OWASP Top 10 is the most referenced document in web security — a list of the ten most critical security risks, updated every few years. Current top 10 (2021): (1) Broken Access Control, (2) Cryptographic Failures, (3) Injection (SQL, XSS, command injection), (4) Insecure Design, (5) Security Misconfiguration, (6) Vulnerable and Outdated Components, (7) Identification and Authentication Failures, (8) Software and Data Integrity Failures, (9) Security Logging and Monitoring Failures, (10) Server-Side Request Forgery (SSRF). SQL injection: attackers insert malicious SQL code into input fields to manipulate or dump the database. Prevention: parameterized queries / prepared statements — never concatenate user input into SQL. Say it: "OW-asp" (/ˈoʊwæsp/) or "O-W-A-S-P" (letter by letter). Both are common.