Defender Lens
Application and data questions reward precision: which role needs which action, where data moves, what can be changed, what is logged, and how confidentiality, integrity, and availability are protected.
AP Cybersecurity Unit 5
Securing Applications and Data
This unit brings together permissions, application behavior, input handling, cryptography, data protection, backups, logs, and privacy-minded security decisions.
Detailed Study Notes
What to understand before practice
Read these notes slowly, then connect each idea to the topic panels below.
CIA is a practical decision tool
Confidentiality means only authorized people can read data. Integrity means data and actions are accurate and protected from unauthorized change. Availability means systems and data are usable when needed.
Many controls support more than one part of CIA, but AP answers should identify the most direct connection. Encryption primarily protects confidentiality; backups support availability and recovery; access control can protect both confidentiality and integrity.
The same incident can affect multiple goals. Public edit access threatens integrity, but if private data is visible it also threatens confidentiality.
Exam Connection
Before choosing a control, name the primary CIA concern in the scenario. This prevents choosing a recovery control for a confidentiality problem or a secrecy control for an availability problem.
Permissions should reflect roles and data ownership
Applications often fail because access grows over time. A user gets editor access for one project, changes roles, and keeps permissions long after the need is gone.
Role-based access keeps permissions tied to job functions. Owners or approvers should review who can view, edit, share, delete, export, or administer important data.
Public links, inherited folder permissions, stale accounts, and shared accounts are common hidden risks. The safest answer often involves review and least privilege, not simply trusting users.
Exam Connection
If the prompt mentions old users, public sharing, or too many editors, choose permission review, ownership approval, and least privilege.
Encryption, hashing, encoding, and compression are different
Encryption protects secrecy by making data unreadable without the key. It can protect data in transit, such as through TLS, and data at rest, such as stored files or databases.
Hashing creates a fixed output used for comparison or integrity checks. A secure password system should not store readable passwords; it should store protected password-derived values and compare during login.
Encoding changes representation, and compression reduces size. Neither should be described as protecting secrets by itself.
Exam Connection
If the goal is secrecy, think encryption. If the goal is verifying a value without revealing the original, think hashing. Do not confuse either with encoding.
Applications need secure input, logs, and recovery
Applications can be attacked through weak input handling, broken access control, exposed secrets, unsafe configuration, and missing logs. Secure design checks user input and verifies authorization before sensitive actions.
Logs help answer what happened, who acted, what changed, and when. However, logs can also contain sensitive data, so they need access control and retention rules.
Backups and version history support recovery after deletion, corruption, ransomware, or mistaken changes. A backup is only useful if it can actually be restored.
Exam Connection
For application scenarios, connect the control to the failure: validation for unsafe input, role checks for unauthorized access, logs for investigation, backups for recovery.
1
CIA Triad for Applications
Confidentiality limits who can read data. Integrity limits who can change data. Availability keeps systems usable when needed.
Apply It
Match each control to the part of CIA it protects. Access control often protects confidentiality and integrity; backups support availability and recovery.
Avoid This Trap
A control can support more than one goal, but AP answers should name the goal most directly tied to the scenario.
Study Move
For each app scenario, mark the primary CIA concern before selecting a mitigation.
2
Roles, Permissions, and Data Ownership
Users should receive only the permissions needed for their role. Public links, inherited permissions, and old accounts often create hidden exposure.
Apply It
Use role-based access, periodic review, owner approval, and least privilege for shared data.
Avoid This Trap
Administrator access is rarely the best default just because it is convenient.
Study Move
Convert a list of users into viewer, editor, approver, and administrator roles.
3
Cryptography, Hashing, and Data Movement
Encryption protects readable data by making it unreadable without a key. Hashing supports integrity checks and password storage patterns. TLS protects data in transit.
Apply It
Use encryption for sensitive data in transit and at rest when appropriate; use hashing when you need to verify without revealing the original value.
Avoid This Trap
Encoding, compression, hashing, and encryption are not interchangeable.
Study Move
Make flashcards that ask: Is the goal secrecy, integrity check, smaller file size, or readable transfer format?
4
Application Attacks, Logs, and Recovery
Applications can be attacked through weak input handling, broken access control, unsafe configuration, exposed secrets, or missing logs.
Apply It
Prefer input validation, safe query methods, permission checks, logging, backups, and incident response steps that match the evidence.
Avoid This Trap
Do not publish logs that contain sensitive data. Logs help defenders, but they must be protected too.
Study Move
Read a fake app log and write two possible explanations plus the next evidence source to check.
Evidence Drill
Practice the AP Cyber evidence habit
A signup application has public edit access, missing input validation, and no audit log. Recommend three changes and explain which risk each one reduces.
Review Questions
- 1When should data be encrypted in transit?
- 2Why does public edit access threaten integrity?
- 3How can application logs help and also create privacy risk?