[Owasp-topten] A1 / A2 Review from Sylvan

Endres, Raoul endresr at anz.com
Thu Feb 1 16:53:53 EST 2007


I think this comes down to bad choice of words...

Validation can help to determine attacks, so it is recommended in this
case.

BUT - validation has a lot of other uses so should be encouraged always.


This should probably be reworded to something like "validation can help
detect attacks and is generally a good thing to implement"



Cheers,
Raoul.

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Friday, 2 February 2007 3:43 AM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] A1 / A2 Review from Sylvan

> I really don't like the statement that "validation is still
recommended in
> order to detect attacks". Validation should be used to determine
anything
> that isn't what we expect, not to try to find attacks."

I'd be interested in people's thoughts on this.  Of course there are
usability reasons to validate, but let's put those aside for purposes of
this discussion.  I'm interested in validation for security reasons.


"This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential,  may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ National Bank Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication."


More information about the Owasp-topten mailing list