Reference · Case AI Interview

Security & SOC 2 cheat sheet

The compliance vocabulary a legal-tech interviewer expects. Print me; skim me the morning of.

OWASP Top 10 — 2025 edition

The canonical ranked list of web-app risks (owasp.org/Top10/2025). Know the names + one concrete Case AI example each:

#CategoryCase AI flavour
A01Broken Access ControlFirm A's lawyer opens /cases/123 belonging to Firm B and it loads. The #1 risk — and in SaaS it usually means a tenant-isolation miss.
A02Security MisconfigurationA public S3 bucket of contracts; debug mode on in prod; default admin creds.
A03Software Supply Chain Failures (new in 2025)A poisoned npm dependency or compromised CI pipeline ships to prod.
A04Cryptographic FailuresDocuments stored unencrypted; TLS terminated and forgotten mid-path; home-rolled crypto.
A05InjectionSQL injection via a search box — and the LLM-era twin, prompt injection: hostile instructions hidden inside an uploaded contract.
A06Insecure DesignNo threat model: e.g. designing document sharing with guessable links.
A07Authentication FailuresNo MFA, weak session handling, credential stuffing unthrottled.
A08Software or Data Integrity FailuresUnsigned updates/artifacts; trusting client-side data for billing or role.
A09Security Logging & Alerting FailuresBreach happens; nobody can say what was accessed — fatal in legal.
A10Mishandling of Exceptional ConditionsErrors that fail open (auth check throws → request allowed) or leak stack traces.

LLM-specific companion list: OWASP Top 10 for LLM Applications — name-dropping prompt injection + insecure output handling is a stand-out move for this role.

SOC 2 in five sentences

SOC 2 is an auditor's attestation — governed by the AICPA — that your organisation's controls meet the Trust Services Criteria: Security (mandatory in every audit) plus optional Availability, Processing Integrity, Confidentiality, Privacy. Type I = controls are designed properly, at a point in time. Type II = controls actually operated over a period (usually 6–12 months) — the one enterprise customers ask for. It is not a government license and not a pentest; it's evidence your everyday engineering is disciplined. "SOC 2 readiness" = building so the evidence exists when the auditor arrives.

What "readiness" means for the engineer

Auditor asksEngineering answer
Who can access production?Least-privilege IAM roles via SSO; no shared accounts; quarterly access reviews.
Who did what, when?CloudTrail for AWS-level actions; an app-level audit table for business actions ("lawyer X viewed document Y at 14:02").
How do changes reach prod?PR review + CI/CD; no SSH-and-edit. Infrastructure as code.
Is data protected?KMS encryption at rest, TLS in transit, Secrets Manager, tenant isolation.
Would you notice a breach?CloudWatch alarms + alerting on anomalies (OWASP A09 is exactly this).

Which log is which

LogAnswers
CloudTrail"Which identity called which AWS API, from where, when?" — infra-level audit (docs).
CloudWatch"What is the app printing/measuring?" — logs, metrics, alarms. Observability, not audit.
App audit table"Which user did which business action?" — you build this; AWS can't see inside your app.

Encryption, compressed

WhereHowOne-liner
At restKMS keys encrypting S3 / Aurora / SQS via envelope encryption (data key encrypts data; KMS key encrypts the data key). HSM-backed; even AWS can't extract keys; every key use lands in CloudTrail (docs)."Tick the KMS box on every store — then govern the key, not the disk."
In transitTLS on every hop: browser → CloudFront → ALB → container, and container → Aurora."TLS everywhere, KMS under everything."
Per tenantA KMS key per law firm: cryptographic separation + a kill switch (revoke key ⇒ that firm's data is unreadable, even in backups).The premium answer for legal data.

Tenant isolation — silo / pool / bridge

AWS's official taxonomy (SaaS Lens):

ModelMeaningTrade-off
SiloDedicated resources per tenant (per-firm database, even per-firm stack)Strongest isolation story, highest cost/ops burden; regulatory data pushes here.
PoolShared infrastructure; rows tagged tenant_id, enforced with Postgres row-level securityCheap, scalable; isolation is only as good as the enforcement — an RLS miss = OWASP A01.
BridgeMix per service: pool the app data, silo the sensitive partsWhat most real SaaS ships.

Defensible Case AI answer: "Bridge: pooled Aurora with row-level security for app data, per-tenant KMS keys, and per-tenant S3 prefixes locked by IAM conditions — with a silo option for firms that demand it."