Application Security

(OBJ. )

Application Security

• Focuses on building secure applications
• Aims to prevent, detect, and remediate security vulnerabilities

Six Key Areas in Application Security

• Input Validation

  • Ensures that applications process well-defined, secure data
  • Guards against attacks exploiting data input vulnerabilities (e.g., SQL injection, XSS, buffer overflows)
  • Serves as a kind of quality control for data to ensure that every piece of information is valid, secure, and correctly formatted
  • Validation Rules
    • Delineate acceptable and unacceptable inputs
  • Validates data early in the process (front-end validation)
  • Used with additional tools for defense in-depth
    • Secure communication protocols
    • Regular security auditing
    • Implementing proper error handling

• Cookies

  • Small data pieces stored by web browsers
  • Maintain stateful information between the server and client
  • Secure Cookies
    • Secure cookies are transmitted over HTTPS for enhanced security
  • Best practices
    • Refraining from persistent cookies for session verification
    • Enabling the Secure attribute
    • Enabling HttpOnly attribute
    • Configuring the SameSite attribute

• Static Code Analysis (SAST)

  • A method of debugging an application by reviewing and examining its source code before running the program
  • Identifies issues like buffer overflows, SQL injection, and XSS
  • Important for proper input validation in both front-end and back-end code

• Dynamic Code Analysis (DAST)

  • Analyzes applications while they run
  • Common methods of DAST
    • Fuzzing (Fuzz Testing)
      • Inputs random data to provoke crashes or exceptions
      • Helps uncover security flaws and weaknesses
    • Stress Testing
      • Evaluates system stability and reliability under extreme conditions
      • Reveals bottlenecks and assesses system recovery

• Code Signing

  • Confirms the software author's identity and integrity
  • Utilizes digital signatures to verify code authenticity
  • Protects against code tampering but doesn't guarantee absence of vulnerabilities

• Sandboxing

  • Isolates running programs, limiting their access to resources
  • Prevents harmful actions on the host device or network
  • Used to execute untrusted or untested programs securely