[Owasp-topten] A1 / A2 Review from Sylvan

Jeff Williams jeff.williams at aspectsecurity.com
Thu Feb 1 11:42:41 EST 2007


> I really don't like the statement that "validation is still
recommended in
> order to detect attacks". Validation should be used to determine
anything
> that isn't what we expect, not to try to find attacks."

I'd be interested in people's thoughts on this.  Of course there are
usability reasons to validate, but let's put those aside for purposes of
this discussion.  I'm interested in validation for security reasons.

If you can prevent 100% of the attacks from working by using a
parameterized interface, doing HTML entity encoding, etc... do you need
to validate?  Why?

The reason, I believe, is to detect attacks so that you can respond
appropriately.  Unfortunately, the vast majority of applications DO NOT
detect attacks at all.  You can pound away at them all day and they'll
happily respond, "I'm sorry, I didn't understand your request - please
try again."

If your application receives input that couldn't possibly have been
generated by a legitimate user of the system, you should log them off,
disable their account, notify someone, and/or take some other action.
This would make most attack attempts much more difficult, and prevent
vulnerability scanners from even working at all.

--Jeff
__


More information about the Owasp-topten mailing list