. What is application security design, and why is it important? Answer: Application security design focuses on building security into the architecture before code is written. It helps prevent systemic vulnerabilities that cannot be fixed by tools later, such as broken trust boundaries, weak authentication flows, or insecure data handling. Fixing design flaws early is significantly cheaper and reduces long-term risk compared to relying only on SAST/DAST after development. 2. How do you approach a secure design review? Answer: I follow a structured approach: Understand business goals and data sensitivity Review architecture diagrams and data flows Identify trust boundaries and entry points Perform threat modeling (STRIDE/OWASP) Validate authentication, authorization, and data protection Recommend design controls and document risks The goal is risk reduction, not perfection. 3. What is threat modeling, and how do you apply it? Answer: Threat modeling is a structured method to identify how an attacker could abuse a system. I typically use STRIDE for technical threats and PASTA when business impact is important. I focus on: Entry points (UI, APIs, integrations) Trust boundaries High-impact abuse cases 4. How do you identify trust boundaries in an application? Answer: A trust boundary exists wherever data or control moves between components with different trust levelsfor example: Browser ? API API ? Database Microservice ? Microservice 5.How do you design secure authentication? Answer: OAuth 2.0 OIDC for modern apps SAML for enterprise SSO Key design principles: Centralized identity provider Short-lived tokens Secure token storage MFA for privileged access 6.OAuth2 vs OIDC vs SAML when do you use each? Answer: OIDC: Modern web/mobile apps (authentication identity) OAuth2: Authorization between services SAML: Enterprise legacy SSO 7.How do you prevent broken access control at design time? Answer: Server-side authorization checks Centralized authorization logic Default-deny policies Role/attribute validation per request 8.RBAC vs ABAC which do you prefer? Answer: RBAC is simple and works well for stable roles. ABAC scales better for dynamic, data-driven decisions. 9.What are the top API security risks you design for? Answer: Broken Object Level Authorization (BOLA) Broken Function Level Authorization (BFLA) Excessive data exposure Lack of rate limiting Injection via APIs