Secure Coding Practices, Part 4: Data Validation

by Steven McElwee, CISSP

Data validation is one of the most important secure coding practices, since it is the most exploited function of applications. Whether your organization creates web applications, desktop applications, or client server systems, data validation is crucial to protecting the applications, data, and servers on which they reside.

The most important data to validate is data that has come from user input or is received from another system or outside source. It is at this interface of information that information cannot be trusted until it is validated.

Validation of data is important to prevent:

• Injection attacks caused by characters that change the functioning of the program
• Buffer overflows caused by entering too much data in a fixed length buffer
• Cross-site scripting, which allows attackers to change the presentation of a web interface to redirect user input
• Data type validation, which may cause exceptions in programs that threaten system availability
• File corruption or tampering to validate the sender and contents of the file

Many data validation considerations can be found with automated static analysis tools, such as Fortify, Ounce Labs, Coverity, FindBugs, and Rough Auditing Tool for Security (RATS). These tools will alert you of many potential data validation issues. You will still need to review and validate the results, since these tools may produce false positives.

File corruption or tampering will need to be caught through manual review. Look for system-to-system file exchange points. Using asymmetric keys to provide non-repudiation of the sender, using encryption, or simply creating a hash of the file for validation will go a long way to prevent problems caused by tampering with the files.

Here are some review questions to add to your secure coding practices and your review checklist:

• Are all user inputs validated?
• Does validation check data length?
• Does validation filter or escape special characters?
• Does validation of web input remove tags before displaying it back to the user?
• Does the application validate the data type of user input before operating on it?
• Is XML received from outside of the application validated?
• Is the integrity of files sent and received by the application validated?