Reference · Case AI Interview
The compliance vocabulary a legal-tech interviewer expects. Print me; skim me the morning of.
The canonical ranked list of web-app risks (owasp.org/Top10/2025). Know the names + one concrete Case AI example each:
| # | Category | Case AI flavour |
|---|---|---|
| A01 | Broken Access Control | Firm A's lawyer opens /cases/123 belonging to Firm B and it loads. The #1 risk — and in SaaS it usually means a tenant-isolation miss. |
| A02 | Security Misconfiguration | A public S3 bucket of contracts; debug mode on in prod; default admin creds. |
| A03 | Software Supply Chain Failures (new in 2025) | A poisoned npm dependency or compromised CI pipeline ships to prod. |
| A04 | Cryptographic Failures | Documents stored unencrypted; TLS terminated and forgotten mid-path; home-rolled crypto. |
| A05 | Injection | SQL injection via a search box — and the LLM-era twin, prompt injection: hostile instructions hidden inside an uploaded contract. |
| A06 | Insecure Design | No threat model: e.g. designing document sharing with guessable links. |
| A07 | Authentication Failures | No MFA, weak session handling, credential stuffing unthrottled. |
| A08 | Software or Data Integrity Failures | Unsigned updates/artifacts; trusting client-side data for billing or role. |
| A09 | Security Logging & Alerting Failures | Breach happens; nobody can say what was accessed — fatal in legal. |
| A10 | Mishandling of Exceptional Conditions | Errors that fail open (auth check throws → request allowed) or leak stack traces. |
LLM-specific companion list: OWASP Top 10 for LLM Applications — name-dropping prompt injection + insecure output handling is a stand-out move for this role.
SOC 2 is an auditor's attestation — governed by the AICPA — that your organisation's controls meet the Trust Services Criteria: Security (mandatory in every audit) plus optional Availability, Processing Integrity, Confidentiality, Privacy. Type I = controls are designed properly, at a point in time. Type II = controls actually operated over a period (usually 6–12 months) — the one enterprise customers ask for. It is not a government license and not a pentest; it's evidence your everyday engineering is disciplined. "SOC 2 readiness" = building so the evidence exists when the auditor arrives.
| Auditor asks | Engineering answer |
|---|---|
| Who can access production? | Least-privilege IAM roles via SSO; no shared accounts; quarterly access reviews. |
| Who did what, when? | CloudTrail for AWS-level actions; an app-level audit table for business actions ("lawyer X viewed document Y at 14:02"). |
| How do changes reach prod? | PR review + CI/CD; no SSH-and-edit. Infrastructure as code. |
| Is data protected? | KMS encryption at rest, TLS in transit, Secrets Manager, tenant isolation. |
| Would you notice a breach? | CloudWatch alarms + alerting on anomalies (OWASP A09 is exactly this). |
| Log | Answers |
|---|---|
| CloudTrail | "Which identity called which AWS API, from where, when?" — infra-level audit (docs). |
| CloudWatch | "What is the app printing/measuring?" — logs, metrics, alarms. Observability, not audit. |
| App audit table | "Which user did which business action?" — you build this; AWS can't see inside your app. |
| Where | How | One-liner |
|---|---|---|
| At rest | KMS keys encrypting S3 / Aurora / SQS via envelope encryption (data key encrypts data; KMS key encrypts the data key). HSM-backed; even AWS can't extract keys; every key use lands in CloudTrail (docs). | "Tick the KMS box on every store — then govern the key, not the disk." |
| In transit | TLS on every hop: browser → CloudFront → ALB → container, and container → Aurora. | "TLS everywhere, KMS under everything." |
| Per tenant | A KMS key per law firm: cryptographic separation + a kill switch (revoke key ⇒ that firm's data is unreadable, even in backups). | The premium answer for legal data. |
AWS's official taxonomy (SaaS Lens):
| Model | Meaning | Trade-off |
|---|---|---|
| Silo | Dedicated resources per tenant (per-firm database, even per-firm stack) | Strongest isolation story, highest cost/ops burden; regulatory data pushes here. |
| Pool | Shared infrastructure; rows tagged tenant_id, enforced with Postgres row-level security | Cheap, scalable; isolation is only as good as the enforcement — an RLS miss = OWASP A01. |
| Bridge | Mix per service: pool the app data, silo the sensitive parts | What most real SaaS ships. |
Defensible Case AI answer: "Bridge: pooled Aurora with row-level security for app data, per-tenant KMS keys, and per-tenant S3 prefixes locked by IAM conditions — with a silo option for firms that demand it."