Application Layer¶

Open design issues allow free use of application resources by unintended parties
- Example: API endpoint that allows retrieving user information without authentication / authorization
- Anyone who knows the API URL can access personal data of all users
Backdoors and application design flaws bypass standard security controls
- Example: Platform has hidden URL that was used during development to test payment systems and allows orders to be marked as paid without any transaction
Inadequate security controls force "all-or-nothing" approach, resulting in either excessive or insufficient access
- Example: Platform with regular users and admin users
- No granular permissions to limit access based on necessity or role
Overly complex application security controls tend to be bypassed or poorly understood and implemented
- Example: Complicated role-based access control system that is poorly documented
- Users are given higher privileges than necessary just to ensure they can access the tools they need for their job
Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behaviour
- Example: Chat application only handles message payloads smaller than a certain size
- If a user sends a larger message it might cause a buffer overflow that crashes the server \(\rightarrow\) DoS

Application-level access
- Define and enforce access to application resources
- Controls must be detailed, flexible and straightforward to prevent complexity
Standards, testing, and review of application code and functionality
- Define a baseline (set of metrics) or standards / best practices
- Regularly compare the current implementation of the application to this baseline
Intrusion detection systems (IDS)
- Monitor network or system activities for malicious activities or policy violations
Traffic regulation by application
- Define firewall rules to regulate traffic by application / port