[WEB SECURITY] re: top 25 discussion
Glenn Everhart
Everhart at gce.com
Thu Jan 15 16:52:13 EST 2009
I find suggestions of form "validate inputs" to be dangerously vague.
Either they may be taken to mean "do something that might kinda/sorta
work", which often leads to other problems, or it may be taken to mean
"only allow a few known-ok inputs", which is likely safe enough but
might cripple usability and lead to the
measures being junked later.
Better practice would be to give suggestions on what exactly should be
validated. "Ensure the functions being invoked
are exactly the list you expect" again doesn't say how to do this but is
a suggestion that sometimes will work and suggests
a possible line of inquiry on how input might be tested.
At any rate, more information on what to do seems desirable...
Glenn Everhart
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list