Data validation: Ignore it and you lose

Data validation is one of the most effective ways to protect Web applications from attack.  Ensuring only the data you expect is entered into a form or provided via some other input mechanism should be part of every organization’s software development process.  It’s understandable that small companies relying on outside resources might miss opportunities to “do the right thing.”  But large organizations should know better.  Some still haven’t gotten the message.

The recent Heartland Payment Systems breach is an example of what happens when you don’t validate data.

The U.S. alleges that the criminal group used SQL injection techniques to exploit poorly coded Web application software. Once they gained access to a corporate system, the hackers planted sophisticated packet-sniffing tools and other malware to detect and steal payment card data flowing over the victim companies' networks, according to court documents.

SQL injection attacks take advantage of a vulnerability that appears when a Web application fails to properly filter or validate data a user enters on a Web page to order a product or communicate with a company. An attacker can send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems.

Source: U.S. says SQL injection hacks used in major breaches, Jaikumar Vijayan, Computerworld, 24 August 2009

As you can see from the article, data validation prevents attackers from using various techniques to own your data or network.  In addition to SQL injection attacks, data validation helps prevent:

These vulnerabilities, together with injection flaws, make up four of the top five vulnerabilities in the OWASP Top 10.

Organizations can protect themselves by ensuring development processes include checking data from any source (see the graphic) to ensure applications and databases receive only what is expected—nothing more.  This isn’t an option today.  Web applications which allow any and all input, regardless of content, are simply not secure and are the products of careless programming.

Data Sources

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)