Application Security
Overview
Application security protects the application, the data it stores, and the data it sends across networks. A secure deployment needs encryption, input handling, dependency awareness, and authentication controls.
Data at Rest
Data at rest is stored data. It should be protected because unauthorized users may eventually gain access to a database, disk, backup, or cloud storage location.

Encryption makes stolen data harder to read or reuse.

Common practices:
- Encrypt sensitive stored data.
- Store only data that the application actually needs.
- Protect encryption keys outside the same database when possible.
- Patch vulnerable libraries and frameworks.
- Encrypt data on roaming devices and portable systems.
Data in Transit
Data in transit is data moving between clients, services, and servers. It can be exposed by interception or man-in-the-middle attacks.
Use secure protocols:
| Protocol | Purpose |
|---|---|
| SSH | Secure administrative access to servers and network devices. |
| TLS | Secure web and API traffic over HTTPS. |
| VPN | Secure private access for remote users and internal services. |
SQL Injection
SQL injection happens when user input is combined with a SQL statement in a way that lets an attacker change the query.
For more information, please see Injection Attacks page.
Vulnerable pattern:
uid = request.args("uid")
str_sql = "SELECT * FROM Users WHERE UserId = " + uid
Safer pattern:
cursor.execute(
"SELECT * FROM users WHERE username = %(username)s",
{"username": request.args.get("username")}
)
Use these defenses:
- Use parameterized queries or prepared statements.
- Use stored procedures only when they avoid unsafe dynamic SQL.
- Validate allowlisted values for table names, column names, and sort direction.
- Apply least privilege to database accounts.
- Use database views to limit readable fields when needed.
OWASP
OWASP provides application security guidance, tools, and references for common web risks. The OWASP Top Ten is a useful starting point for understanding common application vulnerabilities.
For more information, please see Application Security page.
Important application risks include:
- SQL injection.
- Cross-site scripting.
- Cross-site request forgery.
- Broken access control.
- Vulnerable dependencies.
XSS and CSRF
Cross-site scripting happens when untrusted content is displayed to users as executable browser code. Avoid rendering untrusted content in script tags, HTML comments, tag names, attribute names, or raw CSS.
Cross-site request forgery tricks an authenticated browser into sending an unwanted request to another site. Use anti-CSRF tokens, same-site cookies, and explicit user confirmation for sensitive actions.
Password Storage
Passwords should not be stored in cleartext. Use a slow password hashing function with a unique salt for each password.
For more information, please see Password Attacks page.
Basic concepts:
- Hashing is one-way and should not be reversible.
- A salt makes identical passwords produce different hashes.
- Password reuse makes one breach more damaging.
- MFA reduces risk when a password is guessed, stolen, or reused.
Password Attacks
Common password attacks include:
| Attack | Description |
|---|---|
| Guessing | Tries likely passwords against a known account. |
| Dictionary | Tests words and common variations from prepared lists. |
| Rainbow table | Looks up precomputed hashes to recover weak passwords. |
| Social engineering | Tricks users into revealing credentials or approving access. |
Use account lockout policies, MFA, monitoring, password screening, and user education to reduce password attack risk.