Application Security

This section explains the language of secure software: common app-security flaws, testing approaches, secrets handling, and secure-development concepts.

Use it when the security issue lives in the application or development process rather than the network alone. It is especially useful for application teams, security engineers, and platform teams building or reviewing software.

Start Here

• Secure Coding
• SQL Injection
• Cross-Site Scripting
• Input Validation
• Output Encoding
• Session Management

Prevent Common Vulnerabilities

• SQL Injection
• Cross-Site Scripting
• Cross-Site Request Forgery
• Server-Side Request Forgery
• Broken Access Control
• Command Injection
• Content Security Policy
• Insecure Direct Object Reference
• Session Hijacking
• API Security

Test And Monitor The Code

• Static Application Security Testing
• Dynamic Application Security Testing
• Software Composition Analysis
• Runtime Application Self-Protection

Manage Secrets And Supply Chain Risk

• Secrets Management
• Secrets Scanning
• Software Bill of Materials

Model And Plan Secure Design

• Threat Modeling
• Common Weakness Enumeration

Bridge To Infrastructure And Cloud

Application security connects directly to Web Application Firewall, TLS, Container Security, and Cloud Security Posture Management because secure code still depends on the platform and runtime around it.

In this section

• API Security for Applications
  API security protects application interfaces from unauthorized access, abuse, and data exposure through controls such as authentication, authorization, validation, and rate limiting.
• Application Input Validation
  Input validation checks that untrusted data matches expected structure, type, and limits before the application relies on it.
• Application Output Encoding
  Output encoding prepares untrusted data for its exact output context so browsers and renderers treat it as content instead of executable code.
• Application Rate Limiting
  Rate limiting restricts how frequently a client can call a function or endpoint, helping reduce guessing, scraping, and other high-volume abuse.
• Application Secrets Management
  Secrets management is the practice of securely storing, distributing, rotating, and controlling access to credentials and key material used by applications.
• Application Secrets Scanning
  Secrets scanning is the process of searching code, repositories, builds, or logs for exposed credentials and other sensitive secret material.
• Application Secure Coding
  Secure coding is the practice of designing and writing software in ways that reduce exploitable flaws before deployment.
• Application Session Management
  Session management is how an application creates, maintains, and ends authenticated user sessions safely over time.
• Application Threat Modeling
  Threat modeling is a design-time practice for identifying assets, trust boundaries, likely attack paths, and the controls a system needs.
• Broken Access Control Risks
  Broken access control is an application-security failure in which a system does not correctly enforce what an authenticated user, service, or tenant should be allowed to access or change.
• Command Injection Attacks
  Command injection is an application flaw in which untrusted input reaches operating-system command execution in ways that let the application lose control over what the host actually runs.
• Common Weakness Enumeration
  Common Weakness Enumeration is a standardized catalog of software weakness types used to classify recurring design, implementation, and architecture problems in security terms.
• Content Security Policy (CSP)
  Content Security Policy is a browser-enforced security mechanism that restricts which content sources a page may load or execute and helps reduce the impact of unsafe script behavior.
• Cross-Site Request Forgery
  Cross-site request forgery is a web-application flaw that tricks a user's authenticated browser into sending an unintended request.
• Cross-Site Scripting
  Cross-site scripting is a web-application flaw that allows untrusted content to run in a user's browser in the context of a trusted site.
• Dynamic Application Security Testing
  Dynamic application security testing evaluates a running application from the outside to identify security weaknesses in behavior and exposed functionality.
• Insecure Direct Object Reference
  Insecure direct object reference is an access-control failure where an application exposes object identifiers without enforcing whether the requester should be allowed to use them.
• Runtime Application Self-Protection
  Runtime application self-protection monitors application behavior from inside the running application and can help detect or block suspicious activity in context.
• Server-Side Request Forgery
  Server-side request forgery is a flaw where an application can be tricked into making unintended requests to other systems on behalf of the attacker.
• Session Hijacking Attacks
  Session hijacking is the unauthorized takeover or misuse of a valid application session so an attacker can act as an authenticated user without repeating the normal login flow.
• Software Bill of Materials
  A software bill of materials is a structured inventory of the components, libraries, packages, and dependencies that make up a software product from a supply-chain perspective.
• Software Composition Analysis
  Software composition analysis identifies and evaluates third-party components and dependencies so known security risk in the software supply chain can be managed.
• SQL Injection Attacks
  SQL injection is an application flaw that lets untrusted input interfere with database queries in unintended and dangerous ways.
• Static Application Security Testing
  Static application security testing analyzes source code or related artifacts for security weaknesses without executing the application.