Input Validation: Superfluous Most of the Time?
Do we actually need it for secure software?
Before I draw all the flashes of anger from all the software security-aware professionals out there, I insist you give some time to contemplate on the subtitle for some time.
Input validation is the heavily recommended technique in order to prevent malicious attacks against our software albeit from analyst and developer perspective it is sometimes treated as a burden. In this post, you can find a discussion over whether we can write secure code without using input validation whatsoever.
This is Bedirhan and I’ll present some solid examples that allows to ask that “obnoxious looking” question in a short while. However, to spice things up a little bit let’s first concentrate on web application firewalls (WAFs).
On Web Application Firewalls (WAFs)
For all who doesn’t know about it, WAF technology sits in front of your applications and thwart malicious attacks. While pretty useful, of course, they don’t solve the root causes of application related security bugs. What they succeed at is to patch buggy software.
WAFs act like filters and that filtering comes in two general flavors; blacklisting and whitelisting. Whitelisting is better applied than blacklisting because it accepts what is expected by the business owners and rejects the rest. WAFs usually can make use of both of the techniques.
Blacklists are usually open to bypasses, whereas, whitelists are sometimes not enough to make the software secure. While much better than blacklists, whitelists are not silver bullets.
Moreover, there’s a well known fact that there is a certain security vulnerability category that filtering can’t solve altogether; business logic problems. So, we have to implement logic in the WAF to mitigate logical/transaction based security weaknesses.
Anyways, let’s switch back to input validation done by the code itself. Although enforcing it closest to the source code prevents any impedance mismatch (different interpretation of input by the filtering component and the rest of the software), input validation most of the time is still far away from the root of the software…