5.5 Protecting Applications

Unit 5 — Securing Applications and Data | Topic 5.5

Protecting Applications

Secure by design, secure by default, input sanitization, control characters, and defense against injection attacks.

Lesson 5 of 6 ~30 min LO 5.5.A – 5.5.B Skills: Mitigate Risk
★ AP Exam Focus — Topic 5.5

• Secure by design: three principles — (1) take ownership of customer security outcomes, (2) embrace radical transparency, (3) build organizational leadership for security

• Secure by default: security features enabled out of the box; devices/software secure without user configuration

• Control characters: the characters that applications use to process input — single quote ('), double quote ("), and semicolon (;)

• Input sanitization: removing or rejecting control characters from user input before processing — defends against SQL injection, XSS, and directory traversal simultaneously

• Sanitization vs. validation: validation checks if input meets criteria; sanitization removes/rejects dangerous characters

College Board Essential Knowledge Coverage

Topic 5.5 — What Is Testable

CED Ref Essential Knowledge Covered In
5.5.A.1 Secure by design: initiative encouraging companies to include security in all phases of product development including design; security is a design principle, not just a technical feature Section 2 — Secure by Design
5.5.A.2 Three secure by design principles: (1) take ownership of customer security outcomes, (2) embrace radical transparency and accountability, (3) build organizational structure and leadership focused on security Section 2 — Three Principles
5.5.A.3 Secure by default: security features enabled by default out of the box; software and devices should be secure to use without user configuration Section 2 — Secure by Default
5.5.B.1 Control characters: single quote, double quote, and semicolon. Applications use these to process user input; adversaries exploit them to inject commands. Section 3 — Control Characters
5.5.B.2 Input sanitization: verification function removes/rejects control characters and validates input; protects against SQL injection, XSS, and directory traversal attacks Section 3 — Sanitization
♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. A router is sold with all security features disabled by default, requiring users to manually enable the firewall, change the default password, and turn on WPA3. Does this router follow "secure by default" principles? What should the manufacturer do differently?
  2. A developer writes a search function. A user enters: apple' OR '1'='1. The apostrophe in the input is a control character. What attack does this enable, and what should the developer have done to prevent it?
  3. Name the three characters the CED identifies as control characters that applications use to process input. For each, give one example of how an adversary could use it in an attack.

Q1: No. Secure by default means security features must be ENABLED out of the box. The router should ship with: firewall enabled, WPA3 on, and no default password (require setup before use). Users should not need to opt into security.

Q2: SQL injection. The single quote terminates the string in the SQL query; the rest alters query logic. Prevention: sanitize input by removing/rejecting single quotes and other control characters before building the query (or use parameterized queries).

Q3: Single quote ('): terminates SQL string fields, enabling injection. Double quote ("): terminates HTML attribute values, enabling XSS. Semicolon (;): terminates SQL statements, enabling a second injected command (e.g., DROP TABLE).

1 5.5.1 — Learning Objectives

  • Identify the three principles of secure by design and the concept of secure by default (5.5.A)
  • Explain what control characters are and how input sanitization protects applications against SQL injection, XSS, and directory traversal (5.5.B)
  • Distinguish input sanitization from input validation (5.5.B)
Key Terms
Secure by design
An initiative requiring that security be built into all phases of product development, not added after the fact.
Secure by default
Security features are enabled by default; products are safe to use immediately out of the box without user configuration.
Control characters
Characters that applications use to process user input: single quote ('), double quote ("), semicolon (;).
Input sanitization
A verification function that removes or rejects control characters and potentially malicious input before processing.
Input validation
Checking whether user input meets expected criteria (type, format, length) before processing. Related to but distinct from sanitization.

2 5.5.2 — Secure by Design and Secure by Default (5.5.A)

The AP exam includes two related but distinct principles for application security: secure by design addresses how products are built; secure by default addresses how they behave when first deployed.

Secure by Design (5.5.A.1–2)

Secure by design is an initiative that encourages companies to treat security as a foundational design principle — not a feature bolted on after development. It has three specific principles tested on the AP exam:

# Principle What It Means
1 Take ownership of customer security outcomes Companies are responsible for building products that meet their customers' security needs. Security is not the user's problem.
2 Embrace radical transparency and accountability Share security-related product news and updates quickly. Public disclosure of vulnerabilities improves security for everyone.
3 Build organizational structure and leadership for security Companies need leaders who are focused on security and maintain a security-first posture at the executive level.

Secure by Default (5.5.A.3)

Secure by default is a component of secure by design. It means that security features are enabled by default when a product is deployed. Users should not need to configure or enable security — the product should be safe to use immediately out of the box.

Secure by Default Examples
  • A router ships with its firewall enabled and requires the user to set a custom password before first use (no default admin/admin).
  • A web framework automatically escapes user input in database queries, preventing SQL injection by default.
  • An operating system ships with automatic security updates enabled, not requiring the user to turn them on.
  • A phone encrypts its storage by default, not requiring the user to enable encryption manually.
AP Exam Tip

If an exam question describes a product where security features must be manually enabled by the user, that product does NOT follow secure by default. If it asks about whether a company's security responsibility extends to the design phase, that's secure by design. Know which of the three principles applies to each scenario.

3 5.5.3 — Input Sanitization and Control Characters (5.5.B)

Most application attacks in Unit 5 — SQL injection, XSS, and directory traversal — share a common enabler: the application processes user input without checking it for dangerous content. Input sanitization is the defensive measure that addresses all three simultaneously.

Control Characters (5.5.B.1)

Applications use special characters to parse and process user input. These control characters define the structure of queries, HTML attributes, and file paths. When an adversary includes these characters in their input, they can break out of the intended data context and inject commands.

Control Character How Applications Use It How Attackers Exploit It
Single quote ' Terminates string values in SQL queries Breaks out of the string context to inject SQL commands
Double quote " Terminates HTML attribute values Breaks out of an HTML attribute to inject JavaScript (XSS)
Semicolon ; Terminates SQL statements; used in other query languages Ends the first statement and starts a second injected statement

Input Sanitization (5.5.B.2)

When programmers write applications that accept user input, they should include a sanitization function that either:

  • Removes potentially malicious characters from the input before processing, or
  • Rejects the input entirely and returns an error, forcing the user to provide valid input.
What Sanitization Protects Against (5.5.B.2 — CED Exact)
  • SQL injection attacks
  • XSS attacks
  • Directory traversal attacks

By removing or rejecting control characters like ', ", and ;, plus path manipulation characters like ../, sanitization removes the adversary's ability to break out of the intended data context. A sanitized input becomes just data — it cannot be interpreted as a command.

Sanitization vs. Validation — Know the Difference

Validation checks whether input meets expected criteria: is it the right type? The right length? Does it match an expected pattern (e.g., is it a valid email address)?

Sanitization removes or escapes dangerous characters from input that passes validation — or rejects input that contains them.

Both are needed. Validation alone does not remove dangerous characters; sanitization alone may not catch semantically invalid input.

Check for Understanding — Topic 5.5

1. A smart home thermostat ships with all security features disabled. The user must manually log into an admin console and enable the firewall, change the default password, and activate encrypted communications. Which principle does this thermostat FAIL to follow?

2. Which of the following BEST describes the "take ownership of customer security outcomes" principle of secure by design?

3. A developer writes code that checks whether a submitted phone number contains only digits before storing it. An adversary submits a phone number containing a single quote character. The validation function accepts it because it only checks for digit count, not content. What attack might this enable, and what additional defense should the developer add?

4. Which of the following inputs MOST clearly demonstrates an adversary attempting to exploit a control character?

5. According to the CED, input sanitization protects against which of the following attack types? Select the MOST complete answer.

6. A web application receives the following input in a comment field: . A sanitization function removes the < and > angle brackets before storing the comment. Which attack does this sanitization defend against?

7. A company's CISO mandates that all security researchers who discover vulnerabilities in the company's products must be given a 90-day window before they publicly disclose. During that time, the company commits to releasing a patch and notifying affected customers. Which secure by design principle does this policy reflect?

8. Which of the following BEST explains why removing the semicolon character from user input is a useful security control in applications that interact with a database?

9. A developer uses a sanitization function that removes the single quote, double quote, and semicolon from all form submissions before processing. An adversary submits: ../../../etc/passwd. Does the sanitization function prevent this attack?

10. Which of the following CORRECTLY pairs a control character with the attack type it most directly enables?

Score:

⚠ Common AP Exam Mistakes — Topic 5.5

Common Mistake Why It's Wrong Correct Thinking
Confusing secure by default with secure by design Secure by design is the broader initiative (security in all development phases). Secure by default is a specific component of it (security features ON out of the box). Students treat them as identical. Secure by design = the philosophy. Secure by default = one of its specific implementations. A product can follow secure by design principles broadly but still fail secure by default on specific settings.
Thinking sanitization makes validation unnecessary Sanitization removes dangerous characters; validation checks whether input is correct. A sanitized string might still be logically invalid (wrong format, wrong length). Both are needed. Validation checks correctness. Sanitization removes danger. Run both: validate first (reject wrong-type input), then sanitize (remove dangerous characters from what passes validation).
Missing that semicolons are SQL statement terminators Students know the single quote breaks SQL strings but miss that the semicolon ends statements, allowing a second command. The combination '... ; DROP TABLE ...' uses both. Single quote = breaks out of string. Semicolon = ends the first statement and starts a new one. Both are control characters the CED identifies explicitly.
Saying input sanitization only protects against SQL injection 5.5.B.2 explicitly lists three attack types sanitization addresses: SQL injection, XSS, and directory traversal. Students often associate sanitization only with SQL. Sanitization protects against all three injection/traversal attack types by removing the control characters each attack relies on.
Confusing "secure by default" with "no default password" Secure by default covers all security features, not just passwords. Firmware updates, encryption, firewalls, and access controls that are disabled by default all violate secure by default. Secure by default: every security feature ships enabled. Users should not need to "turn on" security. This includes passwords, but also encryption, update settings, firewalls, and any other security control.

6 5.5.6 — Key Terms & FAQ

Frequently Asked Questions

Q: Does input sanitization replace parameterized queries (prepared statements)?
A: The CED focuses on sanitization as the defense. In professional practice, parameterized queries are the gold standard for SQL injection prevention because they never concatenate user input into SQL syntax at all. Sanitization removes dangerous characters; parameterized queries separate data from code entirely. Both achieve protection; the CED tests sanitization.

Q: Is the semicolon a control character in contexts other than SQL?
A: Yes. In many query languages, scripting contexts, and command-line shells, the semicolon separates statements. The CED identifies it as a control character in the context of application input processing.

Q: What is the difference between "removing" and "escaping" a control character?
A: Removing means deleting the character from the input entirely. Escaping means replacing it with a safe representation (e.g., replacing ' with \' so the database treats it as literal data, not syntax). Both are forms of sanitization; the CED uses the term "sanitize" without specifying which technique.

Q: Does secure by design apply to hardware, or just software?
A: The CED applies it to "products" broadly, including hardware devices. A router, a smart thermostat, or an IoT device that ships insecure-by-default violates secure by default. The principle applies to any product with security-relevant features.

📋 Exit Ticket — Topic 5.5 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name the three principles of secure by design from the CED. For each, write one sentence explaining what it requires companies to do. (AP Skill: Identify Principles)
  2. Explain the difference between secure by design and secure by default, and give one concrete example of a product that violates secure by default. (AP Skill: Distinguish Concepts)
  3. List the three control characters identified in the CED. For each, identify one attack type it enables and explain how input sanitization removes that attack vector. (AP Skill: Explain Mechanisms)
  4. A developer builds a form that accepts a username. A user submits: admin"; DELETE FROM users WHERE "1"="1. Identify the attack type, which control character enables it, and what the developer should do to prevent it. (AP Skill: Identify and Mitigate)
  5. According to 5.5.B.2, input sanitization protects against SQL injection, XSS, and directory traversal. Explain why a single sanitization approach addresses all three of these fundamentally different attack types. (AP Skill: Analyze Controls)

Q1: (1) Take ownership of customer security outcomes: build products that meet customers' security needs. (2) Embrace radical transparency and accountability: share security news and vulnerabilities quickly. (3) Build organizational structure and leadership: have security-focused leaders with a security-first posture.

Q2: Secure by design is the broad initiative requiring security in all development phases. Secure by default is a specific outcome: security features must be enabled out of the box. Example violation: a router that ships with its firewall disabled and a default password of "admin" requires user action to be secure.

Q3: Single quote ('): enables SQL injection (breaks string context in SQL); sanitization removes/rejects it. Double quote ("): enables XSS (breaks HTML attribute context); sanitization removes/rejects it. Semicolon (;): enables second SQL statements; sanitization removes/rejects it.

Q4: SQL injection or XSS (likely SQL injection based on DELETE statement). The double quote (") breaks out of the string context. Prevention: sanitization function that removes/rejects double quotes and semicolons before the input is processed.

Q5: All three attacks exploit the application's failure to distinguish between user-supplied data and command syntax. Control characters are what allow attackers to break out of the "data" context and be interpreted as commands. By removing those control characters, sanitization prevents any of the three attacks — they all require the same class of dangerous characters to work.

Struggling with AP Cybersecurity application security principles?

Tanner Crow — AP CS teacher, 5.0 Wyzant rating, 2,067+ tutoring hours. Book a session and nail the exam.

Book a Session →

Tanner Crow

AP Computer Science Teacher — Blue Valley North High School, Overland Park KS

11+ years teaching AP CS. 5.0 Wyzant rating, 2,067+ tutoring hours, 499+ reviews.

11+ Years Teaching2,067+ Tutoring Hours499+ Five-Star Reviews

Continue Learning

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]