Application Security

Secure coding is the practice of writing software with security treated as a first-class requirement alongside functionality. Rather than hardening code after the fact, secure coding integrates defensive thinking into every function, every input handler, and every data flow. The goal is code that is correct and secure simultaneously, not fast code that is patched later.

The foundation is understanding the trust model of your application. Every piece of data that crosses a trust boundary, arriving from a user, a partner API, a message queue, or a database, must be treated as potentially hostile until validated. The fact that data came from your own database does not make it safe if that database could contain values injected by a previous attacker.

Core principles are not complicated. Validate all input, encode all output for its destination context, use parameterized queries for database access, apply least privilege in all resource requests, fail safely on errors, log security events without logging sensitive values, and never implement cryptographic primitives yourself. These principles address the root causes of the most common vulnerability classes.

The most persistent mistake is assuming a framework handles security automatically. Frameworks prevent many mistakes but cannot protect against every misuse. A developer who uses an ORM incorrectly can still introduce SQL injection. A developer who disables auto-escaping in a templating engine can still introduce XSS. Security requires understanding, not just selecting the right tool.

Input validation is the process of verifying that data supplied from external sources conforms to the expected format, type, length, and range before the application processes or stores it. Allowlist validation (sometimes called whitelist validation) defines exactly what is acceptable and rejects everything else. Denylist validation attempts to reject known-bad patterns. Allowlist validation is almost always stronger, because it is impossible to enumerate every possible attack pattern.

Virtually every injection attack exploits code that processes untrusted input without validation. SQL injection sends database syntax in form fields. Command injection sends shell metacharacters. Path traversal uses sequences like '../' to escape intended directories. Cross-site scripting sends HTML and JavaScript that is later reflected in a page. In every case the root cause is the same. External data was treated as trusted without being checked first.

Server-side validation is mandatory regardless of what client-side validation exists. Client-side validation (JavaScript or HTML input constraints) improves user experience but provides no security guarantee. Any attacker can bypass client-side validation by sending HTTP requests directly to the server using tools like curl or Burp Suite. If validation only happens in the browser, the server is completely unprotected.

Validation must happen at the point of receipt, before data is used in any security-sensitive operation. A common mistake is validating at the UI layer but then passing data through several service layers before it reaches the database, with each layer assuming the previous one validated. If any layer forwards unvalidated data, the protection breaks. Validate as close to the source as possible, and enforce again at the consumption point for high-value operations.

Authentication is the process of verifying that a user, service, or device is who it claims to be. In web applications this typically means verifying a credential (password, token, certificate) against a stored record. Broken authentication is consistently among the top vulnerability classes in web applications because the consequences of failure are severe, an attacker who bypasses authentication can impersonate any user, including administrators.

Strong password-based authentication requires several properties working together. Passwords must be stored using a hashing algorithm designed for password storage (bcrypt, scrypt, or Argon2), not MD5 or unsalted SHA-1. Password reset flows must use time-limited tokens sent to a verified channel, not security questions. Account lockout or rate limiting must prevent brute-force attacks. Plaintext storage, even in internal systems, is never acceptable.

Multi-factor authentication (MFA) dramatically reduces account compromise risk. Even if a password is stolen through phishing, a credential database breach, or password reuse, MFA requires the attacker to also possess a second factor, a TOTP code from an authenticator app, a hardware security key (FIDO2/WebAuthn), or a one-time code sent to a verified phone. Hardware security keys are the strongest option because they are phishing-resistant by design.

A common authentication mistake is implementing a password reset flow weaker than the login flow itself. If an attacker can reset any account's password knowing only the email address, authentication strength is defined by the weakest link. Another common mistake is not invalidating existing sessions after a password change, leaving old tokens active even after the account credential changes. True password reset must invalidate all previously issued sessions.

Authorization is the process of determining whether an authenticated identity is permitted to perform a specific action or access a specific resource. Authentication answers who are you, authorization answers what are you allowed to do. Broken access control is the number one vulnerability class in the OWASP Top 10, meaning authorization failures are more common and more impactful than any other vulnerability class.

Role-Based Access Control (RBAC) assigns permissions to roles and roles to users. Attribute-Based Access Control (ABAC) makes decisions based on attributes of the user, the resource, and the environment (time of day, IP address, data classification level). In either model the critical requirement is that checks happen server-side for every request, not just once at login.

Insecure Direct Object Reference (IDOR) is the most common access control vulnerability. It occurs when an application uses a user-supplied value (a numeric ID, a UUID, a filename) to look up a resource without verifying that the requesting user is authorized to access that specific record. An attacker who notices their account ID appears in a URL can try substituting other IDs and may find the server returns other users' data without any ownership check.

A fundamental mistake in authorization design is confusing obscurity with access control. Hiding an administrative endpoint behind a long, random path is not authorization, if the URL is ever discovered through browser history, error messages, or referrer headers, it provides unrestricted access to anyone who finds it. Every sensitive endpoint must have an explicit authorization check regardless of how difficult it is to discover. Security through obscurity is never a substitute for proper access control.

Session management covers how an application maintains continuity for an authenticated user across multiple HTTP requests. Because HTTP is stateless, applications issue a session token after successful login and the client presents this token with every subsequent request. The security of the entire authenticated session depends on this token, an attacker who obtains a valid token has the same access as the legitimate user without ever knowing the password.

Secure session tokens must be long (at least 128 bits of cryptographic randomness), generated by a cryptographically secure random number generator, and transmitted only over HTTPS. Cookies carrying session tokens should have the HttpOnly flag (preventing JavaScript from reading the cookie value) and the Secure flag (preventing transmission over plain HTTP). The SameSite attribute should be set to Strict or Lax to mitigate cross-site request forgery.

Session fixation is an attack where the attacker tricks the victim into authenticating with a token the attacker already knows. The defense is to always generate a fresh session token immediately after successful authentication, replacing any token that existed before login. Privilege elevation within a session, such as re-authenticating before a sensitive operation, should also trigger a new token.

Not invalidating sessions server-side at logout is a critical and common mistake. If the server simply instructs the client to delete its cookie without invalidating the server-side session record, the token remains valid indefinitely. An attacker who captured the token before logout can continue using it. True logout must invalidate the session on the server so that the token is useless even if an attacker possesses it.

The OWASP Top 10 lists the most critical web application security risks, updated periodically to reflect the current threat landscape. The 2021 edition covers broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery (SSRF). Each category shares root causes and similar mitigations.

Cross-Site Scripting (XSS) occurs when an application includes untrusted data in a web page without proper encoding, allowing attackers to inject JavaScript that executes in the victim's browser. Stored XSS (where the malicious script is saved to the database) is especially dangerous because every user who views the affected content is attacked. The defense is context-sensitive output encoding. HTML encoding for HTML content, JavaScript encoding for script contexts, URL encoding for URL parameters.

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker causes the server to make HTTP requests to attacker-controlled destinations. This is dangerous in cloud environments because the instance metadata service (which provides temporary cloud credentials) is accessible only from the instance itself. An attacker who reaches the metadata service via SSRF can steal the instance's cloud credentials and escalate to full cloud account access.

A common conceptual confusion is treating XSS and CSRF as the same attack. XSS attacks the user by injecting malicious content into pages they view. CSRF attacks the server by tricking the user's browser into making unintended requests. XSS defenses focus on output encoding. CSRF defenses focus on verifying request origin using tokens or the SameSite cookie attribute. Understanding the distinction is necessary to apply the correct mitigation for each.

Secrets in application code refers to the antipattern of embedding credentials, API keys, passwords, or cryptographic keys directly in source code, configuration files, or build artifacts that are committed to version control. This is one of the most common and most exploited security mistakes in software development. Credentials embedded in code are discovered through repository scanning, breaches, or accidental publication of repositories.

The git history problem makes this mistake particularly hard to recover from. Even if a developer removes a secret from the latest commit, it remains accessible in git history to anyone with repository access. Tools like 'git log -S' and 'git diff' can recover any string ever committed. The only safe remediation after a secret has been committed is to rotate the secret immediately, because the old value must be assumed compromised.

The correct pattern is to load secrets from the environment at runtime, not from source code. Use environment variables injected by the deployment system, or retrieve secrets from a dedicated vault such as HashiCorp Vault or the cloud provider's secret manager. The application code references a configuration key, the deployment system maps that key to the actual secret value at runtime. No secret value ever appears in any committed file.

Secret scanning tools detect credentials in version control. Tools like Gitleaks, TruffleHog, and GitHub's built-in secret scanning run automatically on commits and alert when patterns matching API keys, connection strings, private keys, or other sensitive values are detected. Running these checks as a pre-commit hook catches secrets before they are committed, running them in CI catches any that slip through. Retroactively scanning the full repository history is also important, not just new commits.

Dependency risk is the security exposure introduced by the third-party libraries, frameworks, and packages an application depends on. Modern applications typically rely on dozens to hundreds of open-source packages, each of which may contain known or unknown vulnerabilities. The application inherits the security posture of every dependency it uses, whether directly declared or pulled in transitively by another package.

The scale of this risk became dramatically visible with the Log4Shell vulnerability (CVE-2021-44228) in December 2021. A single critical vulnerability in the Log4j logging library affected millions of applications worldwide. Attackers were actively exploiting it within hours of disclosure. Teams that maintained accurate dependency inventories identified and patched affected systems in hours, teams without this visibility spent days determining whether they were affected.

Software Composition Analysis (SCA) tools address this risk by continuously scanning the full dependency tree (including transitive dependencies) against vulnerability databases. When a new vulnerability is disclosed, SCA tools can immediately report which applications are affected and at what severity. Integrating SCA into CI pipelines means pull requests that introduce vulnerable dependencies are blocked before they merge.

Keeping dependencies up to date requires a strategy, not ad-hoc manual effort. Automated update tools (Dependabot, Renovate) open pull requests when newer versions are available, keeping the review process manageable. Pinning exact dependency versions using lock files ensures reproducible builds but requires active update management. The most dangerous position is unpinned, unmonitored dependencies that silently drift behind on security patches.