In the middle of this last year we posted a blog called “Why is this so hard?” It was a short piece emphasizing that doing proper input validation is one of the most fundamental things that can be done to cut down on Web application based exploits: one of the fastest growing exploit areas on the Internet.
“The design philosophy has to be:
- Validate input data wherever possible
- Pay as much attention to what’s going into the web application as what’s coming out of it
Input Validation; it’s not sexy. It is not an interesting technological challenge. It is just a simple best practice that makes your web environment much more secure.”
Well, just recently came the announcement of “CWE/SANS TOP 25 Most Dangerous Programming Errors” – see here for more details: http://www.sans.org/top25errors.
Guess what? In their own words “the number one killer of healthy software” is – drum roll please – Improper Input Validation. As we said before and this helps to promote now, assume that all input is malicious. Check it everywhere and every time you either read it or write it.
So what is “it” that we’re checking? Everything! Form data, cookies, anything read over the network, variables set by the server or the application, URL data, email addresses, everything! Check it when you first receive it, check it when you store it, check it when it crosses program boundaries (i.e., from one function to another function), and check it when you read it out of your own data stores.
Many of the problems that attackers are exploiting can be greatly minimized or eliminated by performing thorough input validation all the time. Just do it!
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.