<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
> I'd like to offer a different view for your consideration, which
is that <i><b>input validation and output encoding actually don't have
anything to do with security</b></i>. Those techniques are essential
software building.<br>
<br>
I'm really confused with this statement - and almost feel it's
dangerous. Encoding, especially, is the cornerstone of building secure
web applications. In particular, <u>encoding data within the correct
context of usage</u> is the basis for defending against approximately
2/3 of all classes of web vulnerabilities - XSS and SQLi in particular.
Sure, bad or no encoding is definitely a bug - but it's also impossible
to build a "secure" web application without proper use of encoding. So
to say that "output encoding actually don't have anything to do with
security" seems like a fairly radically incorrect statement. Sure, we
should split up encoding into multiple categories - but I
still think it's the cornerstone to secure programming practices.
Libraries like ESAPI make such tasks very easy, too.<br>
<br>
However, I agree that Validation is overhyped. Input validation is
really relevant to (web) security if you ever accept HTML from a user
(ala validation tools like AntiSamy). You also need to solve malicious
file upload attacks (if you support that feature) with input
validation. Of course there are different considerations for the think
client world when it comes to this topic.<br>
<br>
So, in short:<br>
<br>
Encoding and Validation are software building blocks -> that are
fundamental for (especially web) software to defend against injection
attacks (at least) -> therefore making validation and coding have
something to do with security<br>
<br>
- Jim<br>
<br>
<br>
<blockquote
cite="mid:1f9222b70901141402s22571ab2m4eb18e1c7a3a7a72@mail.gmail.com"
type="cite">
<pre wrap="">blocks. While it is true that omission to use these techniques often
causes security issues, that only means such programs are insecure in
addition to being defective. I think that it's inherently wrong to
associate input validation and output encoding with security. Fix the
defects and the security issues will go away. On the other hand, if
you only fix the security issues you may be left with a number of
defects on your hands.
Input validation layers should focus on accepting only valid data (per
business requirements), while code that transmits data across system
boundaries should focus on using the exchange and communication
protocols correctly.
Actually, now that I think about it more, I think we are struggling
with the term input validation because the term has been overloaded.
In the one sense, we are talking about validating user input, which
mostly needs to concern itself with adhering to business requirements.
This meaning is not very important for security, but the other one,
validating data before something is done with it, is. If you take a
web application for example, you would ideally verify that all user
submitted data adheres to your business requirements.
</pre>
</blockquote>
<br>
</body>
</html>