Application Protections

---

Data Exposure

Data exposure is a software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.

• Applications must only transmit data between authenticated hosts
• use cryptography to protect the session
  • use industry standard encryption libraries

Error Handling

Exceptions are an application vulnerability that is defined by how an application responds to unexpected errors that can lead to holes in the security of an app.

• could be caused by:
  • invalid user input
  • a loss of network connectivity
  • another server or process failing
  • etc.

A structured exception handler (SEH) is a mechanism to account for unexpected error conditions that might arise during code execution.

• Effective error handling reduces the chances that a program could be exploited
• Each procedure can have multiple exception handlers
• handlers can deal with:
  • anticipated errors and exceptions
  • and the unexpected
• use a catchall handler to deal with unexpected exceptions
• main goal:
  • for the application not to fail in a way that allows the attacker to execute code or perform some sort of injection attack
• application’s interpreter may default to a standard handler and display default error messages when something goes wrong
  • may reveal platform information and the inner workings of code
  • better to use custom error handlers
    • so that the developer can choose the amount of information shown when an error is caused

Info

Technically, an error is a condition that the process cannot recover from.

• such as the system running out of memory

An exception is a type of error that can be handled by a block of code without the process crashing.

• Note that exceptions are still described as generating error codes/messages, however

Memory Management

• Many arbitrary code attacks depend on the target application having faulty memory management procedures
  • allows the attacker to execute their own code in the space marked out by the target application
• prevent by:
  • avoid known unsecure practices for memory management
  • use checks for processing untrusted input to ensure that it cannot overwrite areas of memory

Client-Side vs. Server-Side Validation

• web application can be designed to perform code execution and input validation:
  • locally (client-side)
    • main issue
      • the client will always be more vulnerable to some sort of malware interfering with the validation process
    • usually restricted to informing the user that there is some sort of problem with the input before submitting it to the server
  • or remotely (server-side)
    • main issue
      • can be time-consuming
        • may involve multiple transactions between the server and client
• relying on client-side validation only is poor programming practice

Application Security in the Cloud

• shared responsibility model in cloud environments
  • CSPs are responsible for securing the infrastructure
  • customers are responsible for securing their data and applications
• Cloud hardening practices fortify the cloud infrastructure
  • includes least privilege access policies
• application security ensures that software is designed, developed, and deployed securely
• Encryption protects data in transit and at rest
• use regular audits and continuous monitoring practices

Monitoring Capabilities

• support security analysts tasked with detecting potential threats and malicious activity in software
• improves the granularity and effectiveness of logging and alerting systems
• ensure their applications generate logs that capture important events and activities
• Integrate real-time alerting capabilities