[Owasp-leaders] Request for Comment - Draft US Department of Justice Secure Coding Guidance

Erlend Oftedal Erlend.Oftedal at BEKK.no
Tue Apr 5 11:54:24 EDT 2011

Hi Rex

I'm confused about the chapter about input validation. It also slightly covers output escaping, which I feel should be a chapter of its own.
To me the purpose of the two are very different.

Input validation is about making sure data is valid according to the domain. This could be ensuring that a numeric parameter is indeed numeric and not "1 OR 1=1" or "1<script>...", but for more complex input like names, it cannot protect against things like certain types of Cross-Site Scripting or other injection attacks. The classic example is the name "O'Brian" which contains a character which is incidentally also a meta character of SQL and javascript.

Output escaping is about making sure that data is still data when moving from one context to another, by escaping/encoding data. SQL injection, XSS and other injection attacks can only be fully mitigated using output encoding. I would add something on using prepared statements, and as .NET seems to be the language in question, I would also write something about using AntiXSS for output encoding to avoid XSS.

Another big difference is when in the pipeline these things happen. Input validation happens when data enters the application. Output escaping comes into play when data is about to leave the application.

Sorry for not using the matrix, but I only have a word viewer available right now.

Best regards
Erlend Oftedal

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Rex Booth
Sent: 5. april 2011 17:11
To: owasp-leaders at lists.owasp.org; owasp-washington at lists.owasp.org
Subject: [Owasp-leaders] Request for Comment - Draft US Department of Justice Secure Coding Guidance


Attached for your review and comment is a new Draft Guidance document for the US Department of Justice addressing Secure Coding.  The document covers areas such as input validation, authentication, and parameter manipulation.  The intent of the document, once finalized, is to provide the Department with a set of secure coding best practices for commonly used programming languages.

This is a great opportunity for OWASP to increase our name recognition and assist in the development of guidance within the US Federal Sector.

Please use the attached comment matrix to record your comments and suggestions.  Please submit your completed matrices to me (rex.booth at owasp.org<mailto:rex.booth at owasp.org>).  The comment period will be open until 5pm EST on April 12, 2011 (sorry for the quick turn-around).  Comments and suggestions will be compiled by me and will be submitted to DOJ.

Let me know if you have any questions.

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110405/39c5ba7c/attachment.html 

More information about the OWASP-Leaders mailing list