Application Security Explained — OWASP Top 10, Secure SDLC &

Q: Code Analysis Techniques

SAST : analyzes code without running it — finds issues early (shift left), but can't find runtime issues. Used by developers during coding. DAST : tests the running application — finds runtime issues (authentication, session management) but can't see source code. Used by testers and security teams. IAST (Interactive AST) = hybrid that instruments the running app and analyzes from inside — you may see this as a distractor on the exam.

Quick Reference

OWASP Top 10 = the most critical web app security risks (SQL injection, XSS, broken auth, etc.). SQL injection = attacker inserts SQL commands through user input. XSS = injects malicious scripts into web pages viewed by others. CSRF = tricks an authenticated user into making unwanted requests. Secure SDLC = integrating security at every phase of software development. SAST = static analysis (source code, no execution). DAST = dynamic analysis (running application). Input validation = rejecting unexpected data before it reaches the application.

Why Application Security Matters

Applications are now the most common attack surface in organizations. The network perimeter has shrunk while web applications, APIs, and cloud-native services have exploded in number. According to breach data, the majority of successful attacks target the application layer — not the network. The Security+ exam covers application security across multiple domains, particularly Domain 2 (Threats and Vulnerabilities) and Domain 3 (Security Architecture).

Application security (AppSec) means building and maintaining software in a way that protects it against threats. It encompasses secure development practices, vulnerability testing, code review, and runtime protection. The most important framework for understanding common web application vulnerabilities is the OWASP Top 10.

OWASP Top 10 (2021)

OWASP (Open Worldwide Application Security Project) publishes the Top 10 Web Application Security Risks — a consensus list of the most critical vulnerabilities, updated based on real-world breach data. The current version is from 2021.

A01

Broken Access Control

Users can act outside their intended permissions — e.g., accessing another user's data by changing a URL parameter. Moved to #1 in 2021. Fix: enforce access control server-side on every request.

A02

Cryptographic Failures

Sensitive data exposed due to weak or missing encryption — storing passwords in plaintext, using MD5 for hashing, transmitting data over HTTP. Fix: use TLS everywhere, bcrypt/Argon2 for passwords, AES-256 for data at rest.

A03

Injection (SQL, LDAP, OS Command)

Untrusted data is sent to an interpreter as part of a command or query. SQL injection is the classic example — attacker enters ' OR '1'='1 to bypass login. Fix: parameterized queries/prepared statements, input validation.

A04

Insecure Design

Architectural flaws — missing threat modeling during design, no security requirements. Unlike implementation bugs, insecure design can't be fixed by good coding alone. Fix: threat modeling, security design reviews, security requirements.

A05

Security Misconfiguration

Default credentials, open cloud storage buckets, unnecessary features enabled, verbose error messages exposing stack traces. The most commonly seen in practice. Fix: hardening guides, configuration management, disable defaults.

A06

Vulnerable & Outdated Components

Using libraries, frameworks, or platforms with known vulnerabilities (e.g., Log4Shell). Fix: software composition analysis (SCA), dependency management, patch management program.

A07

Identification & Authentication Failures

Weak passwords allowed, no MFA, session tokens not invalidated on logout, credential stuffing not prevented. Fix: MFA, strong password policies, session management best practices.

A08

Software & Data Integrity Failures

Code and infrastructure updates without integrity verification — e.g., insecure CI/CD pipelines, unsigned software updates. Includes supply chain attacks (SolarWinds-style). Fix: code signing, verify checksums, secure pipelines.

A09

Security Logging & Monitoring Failures

Insufficient logging means attacks go undetected. No alerts on login failures, high-value transactions, or privilege escalations. Fix: centralized logging (SIEM), monitoring, incident response procedures.

A10

Server-Side Request Forgery (SSRF)

Application fetches a remote resource based on user-supplied URL — attacker can make the server request internal resources (cloud metadata, internal APIs). New in 2021. Fix: allowlist permitted destinations, disable HTTP redirections.

SQL Injection Deep Dive

SQL injection (SQLi) is consistently one of the most tested application security topics on Security+. It occurs when an application builds SQL queries by concatenating user input without sanitization, allowing an attacker to inject their own SQL commands.

⚠️ SQL Injection Example

Vulnerable query: SELECT * FROM users WHERE username='input' AND password='input'

Attacker enters: ' OR '1'='1' -- as the username.

Resulting query: SELECT * FROM users WHERE username='' OR '1'='1' --' AND password='x'

The -- comments out the rest, and '1'='1' is always true — the attacker bypasses authentication entirely without knowing any credentials.

Defenses against SQL injection: The primary fix is parameterized queries (also called prepared statements) — the query structure is defined separately from the data, so user input can never be interpreted as SQL commands. Secondary defenses include input validation, stored procedures, and least-privilege database accounts.

Cross-Site Scripting (XSS)

XSS occurs when an application includes unvalidated, unsanitized user input in its web page output, allowing attackers to inject client-side scripts that execute in other users' browsers. There are three types:

XSS Type	How It Works	Persistence
Stored (Persistent)	Malicious script is saved in the database and served to every user who views the affected page — e.g., script in a comment field	Persistent — affects all users until removed
Reflected (Non-persistent)	Malicious script is in the URL — attacker tricks victim into clicking a crafted link; script reflects off the server and runs in victim's browser	One-time per link click
DOM-Based	Vulnerability is in client-side JavaScript — browser modifies DOM based on user-controlled input without sending data to the server	Client-side only; no server interaction

Defenses against XSS: Output encoding (HTML-encode user-supplied data before rendering), Content Security Policy (CSP) headers that restrict which scripts can execute, and input validation. The key insight: it's about encoding output, not just validating input.

Cross-Site Request Forgery (CSRF)

CSRF tricks an authenticated user's browser into making a request to a web application they're already logged into — without their knowledge. If a user is logged into their bank, a malicious page can load an invisible image whose URL is a bank transfer request. The browser automatically includes the session cookie, and the bank executes the transfer.

💡 XSS vs CSRF — Easy Confusion

XSS: Attacker injects scripts that run in the victim's browser — attacker exploits the user's trust in the website.

CSRF: Attacker tricks the victim's browser into making requests — exploits the website's trust in the user's browser.

Primary defense for CSRF: Anti-CSRF tokens (unique, unpredictable tokens included in forms and validated server-side). SameSite cookie attribute also helps significantly.

Secure Software Development Lifecycle (SDLC)

The Secure SDLC integrates security activities into every phase of software development — rather than bolting security on at the end. The Security+ exam tests which activities happen in which phase.

SDLC Phase	Security Activities
Planning / Requirements	Define security requirements; identify regulatory compliance needs; establish security acceptance criteria
Design	Threat modeling (STRIDE, PASTA); security architecture review; define trust boundaries; data flow analysis
Development / Coding	Secure coding standards; code review; static analysis (SAST); developer security training
Testing / QA	Dynamic analysis (DAST); penetration testing; vulnerability scanning; fuzzing; security regression testing
Deployment	Secure configuration; change management; infrastructure hardening; secrets management
Maintenance / Operations	Patch management; continuous monitoring; incident response; security updates for dependencies

Code Analysis Techniques

📋

SAST

Static Application Security Testing

Analyzes source code, bytecode, or binaries without executing the application. Finds vulnerabilities like SQL injection and buffer overflows early in development. Also called "white-box testing." Examples: SonarQube, Checkmarx, Semgrep.

🔄

DAST

Dynamic Application Security Testing

Tests the running application by sending crafted inputs and observing responses. Finds issues that only appear at runtime (authentication flaws, injection). Also called "black-box testing." Examples: OWASP ZAP, Burp Suite.

💉

Fuzzing

Fuzz Testing

Sends random, unexpected, or malformed input to an application to find crashes, exceptions, and memory errors that indicate vulnerabilities. Effective at finding buffer overflows and input validation issues. Can be dumb (random) or smart (mutation-based).

🔍

Code Review

Manual / Peer Review

Human review of source code to find logic flaws, insecure design patterns, and issues automated tools miss. More thorough than automated SAST for complex business logic. Often combined with SAST for best coverage.

💡 SAST vs DAST — Exam Tip

SAST: analyzes code without running it — finds issues early (shift left), but can't find runtime issues. Used by developers during coding.

DAST: tests the running application — finds runtime issues (authentication, session management) but can't see source code. Used by testers and security teams.

IAST (Interactive AST) = hybrid that instruments the running app and analyzes from inside — you may see this as a distractor on the exam.

Input Validation

Input validation is the practice of ensuring that all input received by an application conforms to expected format, type, length, and range before it's processed. It's the foundational defense against injection attacks, buffer overflows, and many other vulnerabilities.

Technique	What It Does	Example
Allowlist (Whitelist)	Only permit known-good values; reject everything else	Phone number field only accepts digits and hyphens — letters rejected
Denylist (Blacklist)	Reject known-bad values; allow everything else	Block `<script>` tags in input — weaker than allowlisting
Type checking	Ensure input matches expected data type	Age field must be an integer; reject strings
Length/range checks	Ensure input within expected bounds	Zip code: exactly 5 digits; reject longer values
Parameterized queries	Separate code from data — data can never be interpreted as SQL	Use `?` placeholders in SQL statements, pass values separately
Output encoding	Encode data before rendering to prevent script injection	Convert `<` to `<` before displaying user content in HTML

Exam Scenarios

A developer wants to identify SQL injection vulnerabilities in the source code before the application is deployed. What type of testing should they use?

SAST (Static Application Security Testing). SAST analyzes source code without executing the application, making it appropriate for finding vulnerabilities during development before deployment. It's the right tool when you have access to source code and want to "shift left" — find vulnerabilities early when they're cheapest to fix. DAST would require the application to be running.

A web application displays user-submitted comments on a public page. An attacker submits a comment containing JavaScript code, and other users who view the page have the script execute in their browsers, stealing their session cookies. What type of attack is this?

Stored (Persistent) XSS. The malicious script was saved to the database and served to every user who viewed the comment — this is stored XSS. The attack steals session cookies to hijack authenticated sessions. The fix is output encoding: HTML-encode the comment content before rendering it in the page, and implement a Content Security Policy (CSP) header.

A security team wants to test their web application by sending random, unexpected inputs including extremely long strings, special characters, and null bytes to find crashes and unexpected behavior. What technique are they using?

Fuzzing (fuzz testing). Fuzzing sends random or semi-random inputs to an application to discover crashes, exceptions, and boundary condition failures that may indicate buffer overflows, format string vulnerabilities, or improper input handling. It's particularly effective at finding memory safety issues that static analysis might miss.

An attacker sends a victim an email with a link. When the victim (who is logged into their bank) clicks the link, the bank automatically transfers $5,000 without the victim's awareness. What attack is this, and what is the primary defense?

CSRF (Cross-Site Request Forgery). The attacker exploited the bank's trust in the victim's authenticated browser session. The primary defense is anti-CSRF tokens — unique, unpredictable values included in each form and validated server-side. Since the attacker's page can't read the token (same-origin policy), the forged request is rejected. The SameSite cookie attribute also mitigates CSRF by preventing cross-site cookie submission.

Application Security — OWASP Top 10, Secure SDLC & Input Validation