loading...

Pushing Left, Like a Boss — Part 5.10 — Untrusted Data

shehackspurple profile image Tanya Janca Updated on ・2 min read

**Previously published on my Medium blog, SheHacksPurple.

Trust data from…. No one. Not the database, not APIs, not even your mom.

Sydney, Australia, at #MSIginiteTheTour — I’m the tiny dot at the front

Me at #MicrosoftIgniteTheTour in Sydney, Australia. I'm the tiny dot.

Any data sent to your application needs to be treated as untrusted, and thus validated before it is used or saved. When I say this, I mean ALL DATA. Whoever saved the data to that database may have made an error while validating that input. The API you are calling may have been compromised. Even a highly intelligent user, such as my mother (degrees in both chemistry and mathematics, an accounting designation, and several certifications, including adult education - She's very bright.), could make a simple error when using an application, such as entering a single quote instead of a double quote, which could potentially send your application into an error state, causing a crash or worse. I realize that generally we assume that we are guarding against only malicious actors, but this is not true: even well-meaning, well-educated and computer-literate users can cause problems if your application is too trusting of the data it receives. If you treat all data as potentially malicious you will ensure that your application is not only battle-ready, but also error-proof.

Validate data from all sources, including:

  • Parameters in the URL
  • The database
  • APIs (internal and external)
  • Other Applications
  • Users. Especially users.

References: Check out the OWASP Cheat Sheet for Input Validation!

Up next in the ‘Pushing Left, Like a Boss’ series: Authorization (AuthZ).


If you want to continue to develop your skills, check out WeHackPurple Academy’s NEW course, Application Security Foundations taught by yours truly! There is also a lot of awesome content to subscribe to for only 7$ a month!

Discussion

pic
Editor guide