Validation or sanitisation is performed on all input handled by web applications.
Ensure all user inputs are strictly validated to prevent injection attacks and data corruption. For example, enforce positive allowlists and strong data typing to accept only expected input formats, reducing the risk of SQL injection, XSS, and other attacks; Implement length, range, and format checks to further constrain input and prevent buffer overflows or unintended data processing; Integrate input validation at all stages of development, including architecture, design, coding, and testing, to ensure security is built in from the start; Continuously review and test validation controls to detect and mitigate potential weaknesses before deployment.
Organizations must conduct security tests to validate that all standard security controls function as intended, ensuring robust protection of confidentiality, integrity, and availability (CIA) of both data and services. These tests should cover critical security mechanisms, including authentication, access control, input validation, encoding, escaping, and encryption to detect potential weaknesses. Security testing should be integrated into the development lifecycle, systematically verifying that security controls are correctly implemented and effective in preventing unauthorized access or data manipulation. The objective is to ensure that applications enforce security policies consistently, mitigating risks before deployment. By continuously assessing the effectiveness of security defenses, organizations can proactively identify gaps and reinforce their security posture, reducing the likelihood of security failures in production environments.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-19-01-01-01 | Implement Positive Allow Lists for Input Validation | Ensure input validation is implemented using positive allow lists, allowing only expected input types, values, and formats. This approach helps prevent malicious data from entering the application. | Development | Security Engineers, Software Developers |
| SSS-02-19-01-01-02 | Enforce Strong Data Typing | Use strong data typing mechanisms to ensure that all inputs conform to expected data types, reducing the risk of injection attacks and data corruption. | Development | Security Engineers, Backend Developers |
| SSS-02-19-01-01-03 | Perform Length and Range Checks | Include length and range checks as part of the input validation process. This helps to further reduce the possibility of successful injection attacks and buffer overflow vulnerabilities. | Development | Security Engineers, Backend Developers |
| SSS-02-19-01-01-04 | Integrate Input Validation into Architecture and Development | Incorporate secure input validation during the application architecture and Development stages to ensure that security is built into the system from the beginning. | Preparation | Security Architects, Product Managers |
| SSS-02-19-01-01-05 | Test Input Validation During Unit and Integration Testing | Ensure that input validation is thoroughly tested during unit and integration testing to confirm that only safe and valid data is processed. | Development | QA Teams, Software Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1240) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (V-RT-1-A) |