Chapter 80 Β· Concepts

Application Security β€” Concept Maps

Structured comparisons and breakdowns for input validation, secure cookies, SAST, code signing, sandboxing, and application monitoring.

Input Validation β€” What to Validate, What It Prevents
Input PropertyWhat to EnforceExampleAttack Prevented When Missing
Data typeOnly accept the expected type (numeric, alphanumeric, date)Age field: integers only, no lettersType confusion, unexpected function behavior
Length / sizeMaximum (and sometimes minimum) length enforcedUsername: 3–32 characters maxBuffer overflow β€” oversized input overwriting adjacent memory
Allowed character setRestrict to expected characters; reject or escape othersZIP code: digits only (US); reject semicolons, quotes, dashesSQL injection, XSS, command injection β€” all use special characters
Format / patternMatch expected pattern (regex, date format, email structure)Email: must contain @, valid domain structureFormat string attacks, parser exploits
RangeNumeric values within acceptable min/max rangeAge: 0–130; reject -1 or 999Logic errors, integer overflow conditions
NormalizationDecode and standardize before validationDecode %3C β†’ < before checking for HTML tagsEncoding bypass attacks that slip past naive validators
Secure Cookie Attributes β€” What Each One Does
AttributeWhat It DoesAttack It PreventsExam Focus
Secure Browser only sends cookie over HTTPS; refuses to transmit over HTTP Network interception / session hijacking over unencrypted connections Yes β€” primary exam topic; Secure = HTTPS only
HttpOnly JavaScript cannot read the cookie (document.cookie returns nothing for HttpOnly cookies) XSS-based session theft β€” attacker's injected script cannot steal the session cookie Secondary β€” know it exists and what it blocks
SameSite Restricts when cookie is sent with cross-site requests Cross-Site Request Forgery (CSRF) β€” prevents attacker site from triggering authenticated requests Awareness level
No sensitive data rule Developer policy: never store passwords, PII, or financial data in cookies Data exposure if cookie is captured, logged, or read by third-party scripts Yes β€” cookies are not designed for secure storage
SAST β€” What It Finds vs. What It Misses
CategorySAST Can FindSAST Cannot FindWhy
Memory safety Buffer overflow from unsafe functions (gets, strcpy without bounds check) Runtime memory corruption from complex logic paths Simple patterns visible in code; complex paths require execution
Injection SQL injection from string concatenation in queries; command injection patterns Logic-based injection where attack depends on runtime data Static concatenation visible; runtime data unavailable during analysis
Cryptography Use of deprecated/broken algorithms (MD5, DES, RC4) Incorrect cryptographic implementation (weak keys, IV reuse, padding errors) Algorithm call visible; correctness of implementation is a logic problem
Authentication Hardcoded credentials; plaintext password storage patterns Authentication design flaws (session token predictability, race conditions) Hardcoding is a code pattern; design flaws emerge from system behavior
Business logic Very limited β€” obvious logic errors in simple code Business logic flaws (price manipulation, workflow bypass) Business logic requires understanding of intent, not just code syntax
False positives β€” SAST flags safe code that resembles vulnerable patterns β€” requires human review of all findings Pattern matching lacks context; human judgment required
Code Signing β€” Step-by-Step Process and Trust Chain
StepWho ActsWhat HappensKey Used
1. Certificate issuance Certificate Authority (CA) CA verifies developer's identity and signs developer's public key, creating a code-signing certificate CA's private key (signs the cert)
2. Code signing Developer Developer computes a hash of the application code and encrypts it with their private key, attaching the signature and certificate to the application package Developer's private key
3. Distribution Developer β†’ Users Signed application package is distributed (download site, package manager, enterprise deployment) β€”
4. Signature verification User's operating system OS decrypts the signature using the developer's public key (from the cert), independently hashes the application code, and compares the two hashes Developer's public key
5. Decision OS Hashes match + cert trusted β†’ install proceeds normally. Hashes don't match or cert untrusted β†’ OS displays warning (application modified or from unknown publisher) β€”
Sandboxing Environments β€” Implementations and What Each Isolates
EnvironmentWhat Is SandboxedWhat the Sandbox PreventsExample
Development sandbox Development code and systems Dev changes affecting production; testing code from impacting live users or data Dev/staging/prod environment separation; developer cannot deploy untested code directly to production
Virtual machines Each VM's memory, storage, and processes Compromised VM from accessing other VMs on same host; lateral movement via hypervisor VM escape vulnerabilities are rare precisely because the VM sandbox is strong
Mobile OS (iOS/Android) Each app's data and permissions App from reading another app's data; app from accessing hardware without explicit permission Compromised browser can't read the banking app's stored credentials or the user's photos
Browser iframes Embedded third-party content Iframe content from accessing parent page's data, cookies, or JavaScript variables Ads embedded in a page cannot read the page's session data or user input
Windows UAC Application's privilege level Applications from performing administrative actions without explicit user authorization Malware that infects a standard user process cannot install drivers or modify system files without UAC elevation prompt
Application Security Monitoring β€” Four Capabilities
CapabilityWhat It CapturesPrimary UseExample Signal
Real-time monitoring Current user activity, request volume, access patterns, feature usage Operational visibility; immediate detection of ongoing attacks or outages Dashboard shows 10Γ— normal request volume from one IP β€” possible DoS attempt or scraping
Blocked attack log Attacks that were successfully blocked β€” SQL injection attempts, unauthorized access attempts, WAF blocks Understanding what's being attempted even when defenses hold; identifying persistent attackers; trending new attack patterns 50 SQL injection attempts from a single IP against the login form over 10 minutes
Audit logs Authentication events, admin actions, file accesses, config changes β€” timestamped and attributed Forensic investigation, compliance demonstration, incident response timeline reconstruction Log shows admin account logged in at 03:00 AM and exported the customer database
Anomaly detection Behavior deviating from established baselines β€” unusual access times, volumes, patterns Detecting novel attacks, insider threats, and compromised credentials that don't match known signatures User who normally downloads 5 MB/day suddenly downloads 8 GB in one session at midnight