Designing for application security is designing for data validation

-

 We probably don't talk enough about how good design pays off on multiple targets. 

For example:
Security is often something that gets begrudging compliance, but well-designed security steps often intersect with good data validation.

The most talked about reason for input parameterization and protecting against SQL injection is "so that a malicious user doesn't pull a Bobby Tables on you."



The most legitimate real-world reason for input parameterization and anti-injection code is because "if no one can break it on purpose, then it's not going to break on accident because the AS/400 forwards you values with random semi-colons in them."


The 2nd most legitimate real-world reason is that poorly implemented dynamic SQL interferes with the predictability of your queries, so SQL server is likely going to give you better execution plans with effective parameters.


Chances are that implementing any good design feature will improve more things than the advertised reason for doing it.

Comments

Post a Comment

Popular posts from this blog

Default Browser - set url association with PowerShell

-
 Something that is helpful to know for complicated environments. Background: We have a legacy software that is in the process of being rewritten as a Blazor application, as we begin integrating these things together one need is to make sure that invoked urls do not open in Internet Explorer.  Policy and OU based controls are not available within the timeline we're looking at. However we have an advantage in the fact that we're already using a .ps1 script that prepares some environment needs before  the software executes. Other alternatives: A popular recommendation for handling this is to work within the DefaultAssociationsConfiguration structure. This is a good option, and is well covered in articles like this:  set-default-browser-to-microsoft-edge-using-powershell/ Why this solution: This solution fits a need where anything that may cause IE to be reset as default is handled promptly without requiring a logoff or restart to take effect.  Components: Registry ...
Read more

LINQ within a foreach()

-
  An example of how LINQ where clauses save steps. The where can occur right within the declaration of the foreach LAMBDA syntax: foreach (var person in people.Where(n => n.sex == "male")) { ... } Query Syntax: foreach (var person in from person in people where person.sex == "male" select person) { ... } Both syntaxes compile to the same code (Credit to  @YuvalItzchakov   https://stackoverflow.com/a/25412168 )
Read more

Rules of Automation

-
  Automation has several concrete rules: ·           Automation requires a system o      You can't automate an action, you can automate a process.   ·           The process has to be well defined o      All actions have to be expressible with valid conditional logic      ("If this, … and this, …but not this"). o      Ultimately this means you can't use the word "sometimes" in the process description. o      All needed condition values must be in a ready and readable state before the trigger is given for an automation step.   ·           Automation projects fail because of weak processes, not because of weak technology.
Read more