[OWASP-wiki-editors] OWASP Glossary

Paco Hope Paco at cigital.com
Tue Feb 24 07:47:28 UTC 2015

I stole your dance and consider input validation as "defining program semantics and functionality" and encoding as "security". Fair?

You can’t steal something I freely give. :)

I don’t think of one of them as “defining semantics” and the other as “security” because things encoded incorrectly often don’t function correctly, either. They’re two sides of the same coin. You can’t have one without the other. It is the correct handling of both input and output that creates “security” as an emergent property. I would avoid characterising something like output encoding as the “security” part of the process because people might be misled to think they’re “doing security” if they’re doing output encoding. Or they might think that they don’t need to do output encoding if they’re “not doing the security part” of their app.

It’s just correct software development. It’s not magic and it’s not “security”.


More information about the OWASP-wiki-editors mailing list