Sunday, April 26, 2009

Input validation

...is the key to application security. Think about, if coders/developments wouldvalidate all input (good, bad, and the non-normal) then those would-be hackers and crackers would simply move on to easier pray or your defense in depth counter measures would preemptively alert you to the issue. That means nearly eliminating ~75% of hacks targeted at web applications! It’s that simple. Get developers to write self-defending code, input validation being key, thereby integration SDLC with security in mind; and then of course the layered security of IPS, (application) firewalls, and multi-tiered architecture.

Stopping web application from accepting malformed data negates the most prevalent attack vectors resulting from security breaches today. By constraining, rejecting, and sanitizing input, business applications would only accept known good inputs and deny unknown or unforeseen values (malicious or not). Inclusion of client validation to provide additional measure of controls, results in security applications. A significant reduction in exploits are excepted including the well known XSS, SQL, Buffer overflow, DoS, XML injection, and directory traversals.

For the latest in application security new, turn to a number of sites including http://www.xiom.com and http://www.owasp.org

No comments:

Post a Comment