Protecting Applications
| English | Chinese | Pinyin |
|---|---|---|
| secure by design | 安全设计 | ān quán shè jì |
| secure by default | 默认安全 | mò rèn ān quán |
| input sanitization | 输入清理 | shū rù qīng lǐ |
| control characters | 控制字符 | kòng zhì zì fú |
Secure by design and default
- Secure by design 安全设计 builds security into every phase of development.
- Secure by default 默认安全 ships products with security features already on.
- Devices should be safe straight out of the box.
Input sanitization
- Input sanitization 输入清理 removes or rejects dangerous control characters 控制字符.
- The single quote, double quote, and semicolon can manipulate a system.
- A good program checks input before processing it.
Does input sanitization block this attack?
Sanitization removes dangerous control characters, blocking SQL injection, XSS, and directory traversal.
"Secure by default" means a product ships with...
Secure by default = safe out of the box.
Which single defense blocks SQL injection, XSS, AND directory traversal?
Input sanitization stops all three.
Dangerous characters like the single quote and semicolon are called ____ characters.
Control characters can manipulate a system.
Input sanitization protects against which attacks? (Choose all)
Jamming is a wireless attack, not an input attack.
One defense, many attacks
- Sanitization stops SQL injection attacks.
- It stops XSS attacks.
- It stops directory-traversal attacks too.
"Secure by default" matters because most users never change default settings. If a product ships with security off, most installations stay insecure forever. The safe defaults must be on from the start.
Secure by design builds security in from the earliest phase of development.
Security is a design principle, not an add-on.
A web form runs user input as part of a database query. If the app sanitizes the input — stripping quotes and semicolons — then ' OR '1'='1 is rendered harmless. The same sanitization also blocks XSS <script> tags and ../ traversal in one stroke.
Protect applications with secure by design (security in every phase) and secure by default (features on out of the box). Input sanitization — removing dangerous control characters — is the single defense that blocks SQL injection, XSS, and directory traversal at once.