Page 1393 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1393

expect these values to fall within certain parameters. For example, if
               the programmer asks the user to enter a month, the program may

               expect to see an integer value between 1 and 12. If the user enters a
               value outside that range, a poorly written program may crash, at best,
               or allow the user to gain control of the underlying system, at worst.

               Input validation verifies that the values provided by a user match the
               programmer’s expectation before allowing further processing. For
               example, input validation would check whether a month value is an

               integer between 1 and 12. If the value falls outside that range, the
               program will not try to process the number as a date and will inform
               the user of the input expectations. This type of input validation, where
               the code checks to ensure that a number falls within an acceptable
               range, is known as a limit check.

               Input validation also may check for unusual characters, such as
               quotation marks within a text field, which may be indicative of an

               attack. In some cases, the input validation routine can transform the
               input to remove risky character sequences and replace them with safe
               values. This process is known as escaping input.

               Input validation should always occur on the server side of the
               transaction. Any code sent to the user’s browser is subject to
               manipulation by the user and is therefore easily circumvented.




                          In most organizations, security professionals come from a

                  system administration background and don’t have professional
                  experience in software development. If your background doesn’t
                  include this type of experience, don’t let that stop you from

                  learning about it and educating your organization’s developers on
                  the importance of secure coding.



               Authentication and Session Management Many applications,
               particularly web applications, require that users authenticate prior to
               accessing sensitive information or modifying data in the application.
               One of the core security tasks facing developers is ensuring that those
               users are properly authenticated, that they perform only authorized
   1388   1389   1390   1391   1392   1393   1394   1395   1396   1397   1398