[SC-L] Some Interesting Topics arising from the SANS/CWE Top 25
Florian Weimer
fw at deneb.enyo.de
Wed Jan 14 14:57:45 EST 2009
* Johan Peeters:
> while I am being persuaded that you can use input validation and
> output encoding interchangeably
Interchangeably? Hardly.
> as countermeasures for *some* problems documented here, there is
> another important dimension: enforcement of business rules. In this
> domain, I do not see an alternative to input validation.
What is a business rule? Something like "If the customer has changed
the shipment address from a previous order, we must re-request his or
her credit card details"? How would you implement *that* using input
validation?
More information about the SC-L
mailing list