[Esapi-user] Fortify vs ESAPI 2.0

Kevin W. Wall kevin.w.wall at gmail.com
Tue Feb 8 00:05:00 EST 2011

On 02/06/2011 08:36 PM, Jim Manico wrote:
>> It is not the taint *tracking* that is incredibly dangerous, but
> rather the nonchalant way developers go about untainting.
> I think the presumption that any data is untainted is the problem here.
> I consider post-validated data to be tainted, so I output encode even
> after validation (etc). Most taint tracking mechanisms that I have seen
> give dev's the false impression that data at certain tiers are "safe" in
> a very inappropriate way. So I say taint on taint tracking.

If that's true, and I in more recent times with XSS and the like, I no
longer think it is, it is because most taint mechanisms were developed
and/or documented before output encoding was important or it's because
that developers just don't understand that output encoding is important
to begin with. Input validation is necessary, but not sufficient. The
same can be said for taint mode. Taint mode is about input validation
not post validation / output encoding.  So at worst, I think you have
a perception problem to deal with. But IMO, taint mode helps you locate
those inputs that you might have forgotten about such as input from
a config file or a environment variable or system property, etc.  I think
average and better programmers will understand how to use taint mode
just fine. (Note that by comparison, it's very similar to DbC which as
of late you seem to be advocating.) I think we need to aim for developers
of average or better competence rather than trying to make everything
completely idiot proof which is something that you will never be able to do.
(As they say, idiots are so ingenious when it comes to screwing things

My own experience with using taint mode in Perl has made a believer out
of mean. At Qwest when I was with the AppSec team, I strongly encouraged
any Perl CGI apps to use taint mode. Now that I am with InfoSec, I will
be arguing for requiring it. I think it's that helpful. If nothing else
it makes it much harder to accidentally miss the inputs that you need
to validate.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list