Secure Software Applications - Today: Input Validation

Security assessments usually result in a lot of customer questioning and answering. It is just more efficient to just ask the right questions to the customer than looking up the information in documents or reading large amounts of source code. We have a set of questions that we usually ask a customer at the start of any security assessment.

One question is about input validation, which is one of the cornerstones of security application design and implementation. As an example, a credit card number solely consists of a fixed amount of digits in the range from zero to nine. There is really no reason for a software application to continue processing unless the user filled the credit card form field with the proper amount of digits. Other characters than digits must not be allowed. Performing strict input validation will greatly enhance the security of the software application.

In reverse, not performing strict input validation is a good indicator that the application has software bugs. This is why we ask customers where and how they perform input validation in their software applications. Not performing input validation is common, but one answer of a customer brought it straight to the point:

"The user is responsible for valid input. Are there any risks with that?"

Back in 2004, the risk related with that made in to the top of the OWASP Top 10, a hit list of the most exploited security vulnerabilities. So the answer is "Yes! There is a risk." Missing input validation does not directly result in exploitable security vulnerabilities. However, the most critical security issues such as Cross Site Scripting, Buffer Overflows, and SQL-Injection may result out of it.

Take an analogy:
If a bank employee said: "We neither have a vault, nor do we close our doors in the night. It's the people's responsibility to not steal the money.", would you entrust your money to this bank?

Key take-aways:
Security risks don't emerge solely through coding errors. Performing input validation is a requirement and should be integrated into the application's architecture.