On Thu, Jan 15, 2009 at 5:25 AM, Brian Chess <<a href="mailto:brian@fortify.com">brian@fortify.com</a>> wrote:<br>> ...<br>><br>> There's a lot to say about input validation. Jacob West and I wrote devoted<br>
> a full chapter to it in Secure Programming with Static Analysis<br>> (<a href="http://www.amazon.com/dp/0321424778">http://www.amazon.com/dp/0321424778</a>), but we found that the material<br>> refused to stay in its cage—input validation got a lot of airtime when we<br>
> talked about the Web, when we talked about privileged programs, and then<br>> again when we got around to the litany of common errors in C/C++ programs.<br><br>True, but do you have a chapter dedicated to output encoding? I don't mind talking about input validation for as long we spend sufficient time discussing output encoding. The problem is that most people don't. Furthermore, a significant problem is that our terminology is incorrect and misleading. I prefer to use the terms data validation and data transformation to replace input validation and output encoding, respectively. Most people will perceive the words input and output as user-centric, ignoring what goes on within software and ignoring the processes that occur without a direct user action. Once you take these misleading words out, you can focus on component boundaries (rather than on the user-software interaction), and start making sure that data is both transformed and validated whenever it crosses component boundaries.<br>
<br>Allow me to quote the first paragraph from the chapter you mentioned:<br><br><div style="margin-left: 40px;"><i>The most important defensive measure developers can take is to thoroughly validate the input their software receives. Input Validation and Representation is Kingdom #1 because unchecked or improperly checked input is the source of some of the worst vulnerabilities around, including buffer overflow, SQL injection, and a whole host of others.<br>
</i></div><br>Now allow me to change the wording slightly:<br><br><div style="margin-left: 40px;"><i>The most important defensive measure developers can take is to <span style="background-color: rgb(255, 255, 204);">carefully handle the data</span> their software <span style="background-color: rgb(255, 255, 204);">processes</span>. <span style="background-color: rgb(255, 255, 204);">Data validation and transformation</span> is Kingdom #1 because <span style="background-color: rgb(255, 255, 204);">improperly checked or improperly transformed data</span> is the source of the some of the worst vulnerabilities around, including buffer overflow, SQL injection, and a whole host of others.<br>
</i></div><br>Similarly, I think the sentence that follows:<br><br><div style="margin-left: 40px;"><i>Ask your local software security guru to name the single most important
thing that developers can do to write secure code, and nine out of ten
will tell you, "Never trust input."</i><br></div><br>Works better as:<br><br><div style="margin-left: 40px;"><i>Ask your local software security guru to name the single most important thing that developers can do to write secure code, and nine out of ten will tell you, "Never trust <span style="background-color: rgb(255, 255, 204);">data</span>."<br>
</i></div><br>Now it's easier to see how "Never trust data" actually translates to "Always validate and transform data".<br><br>-- <br>Ivan Ristic<br><br>