Skip to content

Application Security

Application security is about protecting your back-end and data against attacks and misuse. You identify potential threats, apply defensive techniques (such as input validation, escaping, encryption), and configure your platform securely (for example headers, TLS, secrets management). A secure application doesn’t just β€œwork”; it keeps data confidential, maintains integrity, and remains available under normal conditions.

For this product, you describe the most important security risks for your project and how you mitigated them in your code, configuration, and infrastructure.

Security in Back-end Systems

Typical security topics for back-end developers include:

  • Input validation & sanitization to prevent injection attacks
  • Secure session and token handling
  • Protection against common web vulnerabilities (for example OWASP Top 10)
  • Secure storage of secrets (environment variables, vaults)
  • Transport security (HTTPS/TLS, secure cookies)
  • Least privilege in database and service access

In your project you choose the measures that match your risks and document how they are implemented.

Quality indicators

When assessing this product, the following quality indicators will be considered:

  • The application security document is self-contained, starting with an introduction/context and then describing the security approach.
  • It identifies the main security risks relevant to the application (for example OWASP Top 10 categories).
  • It describes which security controls are implemented in the code (input validation, escaping, error handling, rate limiting, etc.).
  • It describes which security controls are implemented in configuration and infrastructure (HTTPS, headers, secrets management, database permissions).
  • It includes examples of secure coding patterns as used in the project, with references to the code in GitLab.
  • It explains how authentication and authorization are integrated into the overall security model (can reference the separate Authentication & Authorization product).
  • It describes how security is tested or verified (for example automated security tests, dependency scanning, manual checks).
  • It includes a list of sources used to understand and implement security best practices.

Template

To document application security in your own project, you can use the following template:

# Application Security

In this section, describe in a few sentences why security is important for your application and what kind of data and operations you need to protect. This is the main text of your document.

## Threats & Risks

Here you identify the main security risks for your application:
- What kind of attackers or misuse do you expect?
- Which OWASP Top 10 categories are most relevant?
- Which parts of the system are most sensitive (authentication, payments, personal data, etc.)?

## Defensive Measures in Code

Here you describe which security measures you implemented in the code:
- Input validation and sanitization
- Output encoding or escaping
- Error handling and logging (without leaking sensitive information)
- Rate limiting, throttling, or other protections

Add code examples and references to the code in GitLab.

## Defensive Measures in Configuration & Infrastructure

Here you describe security measures outside the code:
- HTTPS/TLS configuration
- Security headers (for example Content-Security-Policy, X-Frame-Options)
- Secure cookies and session settings
- Secrets management (environment variables, vaults, key stores)
- Database or service accounts with least privilege

## Verification & Testing

Here you describe how you verify that your security measures work:
- Automated tests
- Static analysis or dependency scanning
- Manual tests or checklists

## Sources

List here the sources you used to understand and implement application security (for example OWASP, documentation, articles, videos, books).
Also include sources that helped you write the code.