[Owasp-leaders] Request for Comment - Draft US Department of Justice Secure Coding Guidance

Jim Manico jim.manico at owasp.org
Tue Apr 5 13:11:35 EDT 2011


Correction: Output escaping (or what I prefer to call contextual encoding) should happen at each •parser boundary•  not as data leaves the app.

Think LDAP encoding in a reusable component, XSS escaping in a template language, and parameterized queries. When you encode contextually at the parser boundary you ensure that all calls entering that parser are protected from injection.

-Jim Manico
http://manico.net

On Apr 5, 2011, at 10:54 AM, Erlend Oftedal <Erlend.Oftedal at BEKK.no> wrote:

> Hi Rex
> 
>  
> 
> I’m confused about the chapter about input validation. It also slightly covers output escaping, which I feel should be a chapter of its own.
> 
> To me the purpose of the two are very different.
> 
>  
> 
> Input validation is about making sure data is valid according to the domain. This could be ensuring that a numeric parameter is indeed numeric and not “1 OR 1=1” or “1<script>...”, but for more complex input like names, it cannot protect against things like certain types of Cross-Site Scripting or other injection attacks. The classic example is the name “O’Brian” which contains a character which is incidentally also a meta character of SQL and javascript.
> 
>  
> 
> Output escaping is about making sure that data is still data when moving from one context to another, by escaping/encoding data. SQL injection, XSS and other injection attacks can only be fully mitigated using output encoding. I would add something on using prepared statements, and as .NET seems to be the language in question, I would also write something about using AntiXSS for output encoding to avoid XSS.
> 
>  
> 
> Another big difference is when in the pipeline these things happen. Input validation happens when data enters the application. Output escaping comes into play when data is about to leave the application.
> 
>  
> 
> Sorry for not using the matrix, but I only have a word viewer available right now.
> 
>  
> 
> Best regards
> 
> Erlend Oftedal
> 
>  
> 
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Rex Booth
> Sent: 5. april 2011 17:11
> To: owasp-leaders at lists.owasp.org; owasp-washington at lists.owasp.org
> Subject: [Owasp-leaders] Request for Comment - Draft US Department of Justice Secure Coding Guidance
> 
>  
> 
> All,
> 
> Attached for your review and comment is a new Draft Guidance document for the US Department of Justice addressing Secure Coding.  The document covers areas such as input validation, authentication, and parameter manipulation.  The intent of the document, once finalized, is to provide the Department with a set of secure coding best practices for commonly used programming languages.
> 
> This is a great opportunity for OWASP to increase our name recognition and assist in the development of guidance within the US Federal Sector.
>  
> Please use the attached comment matrix to record your comments and suggestions.  Please submit your completed matrices to me (rex.booth at owasp.org).  The comment period will be open until 5pm EST on April 12, 2011 (sorry for the quick turn-around).  Comments and suggestions will be compiled by me and will be submitted to DOJ.   
> 
> Let me know if you have any questions.
>  
> Thank you,
> Rex
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110405/59269a34/attachment-0001.html 


More information about the OWASP-Leaders mailing list