[Owasp-topten] A1 / A2 Review from Sylvan

Dinis Cruz dinis at ddplus.net
Thu Feb 1 22:21:03 EST 2007 

the comment 'you don't need validation if you use parameterized queries' is
spot on, and one that should be made in relation to issues like SQL
Injections (If I could count the number of security consultants that I have
heard saying 'to solve this case of SQL Injection just filter/validate your
inputs'!!!)

now, that said, the point of using validation to detect attacks (and too
limit the amount of stuff that is processed) is a very good one (especially
if done in a central location using a global list of all inputs (mapped
against a white-list of expected data (ala struts (when used properly))).

I would just add that I was involved in a recent project where we used the
validation errors (in that case RegEx) to detect malicious activity and act
accordingly.

Dinis Cruz
Chief OWASP Evangelist,
http://www.owasp.org


On 2/1/07, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
>
> > I really don't like the statement that "validation is still
> recommended in
> > order to detect attacks". Validation should be used to determine
> anything
> > that isn't what we expect, not to try to find attacks."
>
> I'd be interested in people's thoughts on this.  Of course there are
> usability reasons to validate, but let's put those aside for purposes of
> this discussion.  I'm interested in validation for security reasons.
>
> If you can prevent 100% of the attacks from working by using a
> parameterized interface, doing HTML entity encoding, etc... do you need
> to validate?  Why?
>
> The reason, I believe, is to detect attacks so that you can respond
> appropriately.  Unfortunately, the vast majority of applications DO NOT
> detect attacks at all.  You can pound away at them all day and they'll
> happily respond, "I'm sorry, I didn't understand your request - please
> try again."
>
> If your application receives input that couldn't possibly have been
> generated by a legitimate user of the system, you should log them off,
> disable their account, notify someone, and/or take some other action.
> This would make most attack attempts much more difficult, and prevent
> vulnerability scanners from even working at all.
>
> --Jeff
> __
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-topten
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20070202/9d9ef8a3/attachment.html

More information about the Owasp-topten mailing list