[WEB SECURITY] re: top 25 discussion

Glenn Everhart Everhart at gce.com
Thu Jan 15 16:52:13 EST 2009

I find suggestions of form "validate inputs" to be dangerously vague.
Either they may be taken to mean "do something that might kinda/sorta 
work", which often leads to other problems, or it may be taken to mean 
"only allow a few known-ok inputs", which is likely safe enough but 
might cripple usability and lead to the
measures being junked later.

Better practice would be to give suggestions on what exactly should be 
validated. "Ensure the functions being invoked
are exactly the list you expect" again doesn't say how to do this but is 
a suggestion that sometimes will work and suggests
a possible line of inquiry on how input might be tested.

At any rate, more information on what to do seems desirable...

Glenn Everhart

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list