Domain 4 · 4.1 Securing Computing Resources

4.1.6 Application Security

Input validation, secure cookies, code signing.

16 min

Application security applies controls and best practices across the software lifecycle to protect data and functional integrity from attack.

Input Validation and Sanitization Validating input is the primary defense against injection, ensuring data matches an expected format before use. - Client-side validation: runs in the browser; improves user experience but is easily bypassed with a proxy, so it is never trusted for security. - Server-side validation: the essential check performed after submission; the only place data can truly be trusted. - Normalization: converting input to its simplest standard form (for example, resolving directory-traversal sequences like ../) before validation. - Sanitization: escaping or removing dangerous characters such as script tags, quotes, and semicolons to block XSS and SQL injection.

Secure Cookie Management Cookies hold session data and must be hardened against hijacking and interception. - Secure flag: sends the cookie only over encrypted HTTPS. - HttpOnly flag: blocks client-side scripts from reading the cookie — a key mitigation against XSS-based session theft. - SameSite attribute: limits whether cookies travel on cross-site requests, defending against Cross-Site Request Forgery (CSRF).

Code Signing and Integrity Code signing proves software has not been altered since publication. - Digital signatures: the developer signs the executable with a private key; users verify it with the developer's public key. - Integrity verification: changing even one bit of the signed code invalidates the signature. - Source authenticity: confirms the real publisher, so users avoid spoofed or trojanized builds.

Balancing Functionality and Security - Inverse relationship: tighter security often reduces convenience or functionality. - Resource constraints: implementations are bounded by time, budget, and hardware. - Secure defaults: ship with the most restrictive settings to minimize the initial attack surface.

Quick recall - Input validation → prevents SQLi, XSS, and buffer overflows. - HttpOnly → blocks JavaScript from reading cookies. - Secure flag → forces cookies over HTTPS only. - SameSite → mitigates CSRF. - Code signing → uses asymmetric cryptography to prove software origin and integrity.