Concepts of Application Security


  • Definition: Confidentiality means that sensitive information should not be readable by unauthorized persons.  For a part, confidentiality can be achieved by authentication and authorization.  In this chapter, we discuss other confidentiality measures you can take to keep private information private.
  • Remediation: SSL + Cryptography, browser settings: disable browser features, directory listing on web-server, cached data + cookies.


  • Definition: Integrity means that data should not be able to be changed during data transmission.  If data is tampered with, this should be detected.
  • Remediation: SSL + Cryptography.


  • Definition: Authentication means we should assure that only legitimate persons are able to access the application.  During authentication, the identity of a user is established, and his credentials are checked.
  • Remediation: Authentication + Access Control, caching authentication tokens, account locked out after retries, hard-coded credentials in code, difficult and encrypted session ID’s, limit number of sessions, session timeout, no default passwords, secure kept open channels, secure administrative interfaces, apply patches, secure DB connections.


  • Definition: Authorization means we should control access to application resources by authenticated users or code.
  • Remediation: Code-access security, role based security, secured DB accounts, secure DB admins to avoid direct data manipulation bypassing the system.


  • Definition: Non-repudiation, in its simplest form, means that proof should be provided about the fact that a certain message has been sent by a certain party.  Non-repudiation of this kind can be obtained by using cryptography: digital signatures assure that a certain message is sent by the owner of a certain private key, and that the message has not been tampered with. 
  • Remediation: SSL + Cryptography


  • Definition: Availability means that we should prevent attacks that try to make the application unavailable for legitimate users of the application.
  • Remediation: Input Validation, HTTP request validation, input length validation, unsupported characters, character set validation.

More details in the following overview slide deck:


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.