By Stephen Jensen, Principal Consultant, Managed Security Solutions Group, BT Global Services
Proper input validation isn’t rocket science, it just takes time; time some companies determine is better spent on other things, such as adding that new bell or whistle. We all know if an application doesn’t function properly, it can’t be released for end user consumption. However, if the application functions properly, but has gaping security holes, it can still be released; we just need to make sure we issue updates to fix these security issues, and hopefully, we can fix these issues before they are exploited by some nefarious attacker.
How can companies develop more secure applications? Easy! Four letters, SDLC. SDLC (Secure Development Lifecycle) teaches companies to integrate security as a requirement from the beginning of the application development process. As a former software developer, the requirements gathering phase is as important to application development, as breathing is to life. Implementing security requirements from the beginning not only ensures a more secure application rolls out the door, but it also saves time and money by addressing potential security issues before they make their way in to the real world. The estimated cost of remediation is extraordinary, some figures put it as high as $300,000 to remediate a single application security vulnerability.
During the requirements phase, the stake holders layout and identify their business and functional requirements. They identify their end users and create “Use Cases” to identify functionality for each user. What is commonly overlooked at this time is the data that needs to be captured from these end users. It is this data that leads to injection vulnerabilities. The key to preventing these injection vulnerabilities is to define the acceptable data that can be entered by the end user. This step in defining the approved data should be discussed, agreed upon, and made into a requirement at this time.
There are two approaches that can be taken here black-listing and white-listing. However, the preferred method of data validation should always be a white-list approach. A white-list approach dictates that only the characters associated with the expected data type are allowed to be entered. As an example, if you have a textbox for an American-style zip code, then the application should only allow the characters 0-9, and disallow everything else. Additionally, if you have a textbox that accepts a user’s name, then the allowed characters should only include Aa-Zz, a properly escaped apostrophe (‘) for names such as O’Neil or O’Brien and a hyphen (-) for hyphenated last names. All other characters should be disallowed. By disallowing all non-data specific characters and escaping those characters that could be potentially harmful, we can reduce the likelihood of an injection attack by ten-fold Yes, that’s correct; simply by implementing a white-list approach to data validation, we can virtually eliminate SQL Injection, Cross-Site Scripting and every other vulnerability associated with data injection. So what are you waiting for, go start white-listing your data!
