5.1.4. Application Security and Sandboxing

💡 First Principle: Applications are the interface between users and data — and the most common entry point for attacks. Application security ensures that software handles input safely, manages privileges appropriately, and doesn't become a conduit for unauthorized access. Every web application is a potential doorway into your network.

Input validation — verifying that user-provided data meets expected format, type, and range before processing. Server-side validation is mandatory; client-side validation is a convenience, not a security control (attackers bypass it trivially by sending requests directly to the server). Parameterized queries prevent SQL injection; output encoding prevents XSS. The principle: never trust user input.

Secure cookies — cookies marked with Secure (HTTPS only), HttpOnly (no JavaScript access), and SameSite (prevents CSRF) flags prevent common web attacks. Session cookies without these flags can be stolen through XSS or intercepted on insecure connections.

Static code analysis (SAST) — examining source code without executing it to find vulnerabilities (SQL injection patterns, buffer overflow potential, hardcoded credentials). Performed during development as part of CI/CD pipelines. Catches coding errors early when they're cheapest to fix.

Dynamic analysis (DAST) — testing running applications by submitting crafted inputs and observing behavior. Finds runtime vulnerabilities that static analysis misses, including authentication flaws and server misconfiguration.

Sandboxing — running untrusted code in an isolated environment where it can't affect the host system. Sandboxes are used for: testing suspicious files, running untrusted applications, browser isolation, and detonating potential malware safely. If the code is malicious, the sandbox contains the damage.

Package monitoring — tracking third-party libraries and dependencies for known vulnerabilities. Software composition analysis (SCA) tools scan dependency manifests against CVE databases. Modern applications include hundreds of third-party packages — a vulnerability in any one can compromise the entire application.

⚠️ Exam Trap: Static analysis examines code without running it (finds coding errors). Dynamic analysis tests running applications (finds runtime behavior issues). They're complementary — neither alone catches everything. If the question asks about testing during development before deployment, static analysis is likely the answer.