Full recognition of inputs before processing

Explanation: A component that accepts an input without checking its validity presents a path that an attacker can probe.

Vulnerabilities addressed: Addresses exploitation of input-handling code by maliciously crafted inputs.

Developer resources required: Requires specification of input language, program source code, and software framework for generating recognizer for input language.

Evaluator resources required: Requires audit of software and its data language definitions for adherence to the design principle.

Source: www.computer.org

Share this article

Shahid N. Shah is an internationally recognized and influential cybersecurity and risk management expert. He is a technology strategy consultant to many federal agencies and winner of Federal Computer Week’s coveted “Fed 100″ award for his work on the government’s largest secure collaboration space. He’s served as Chief Architect (contractor) for BFELoB and OMB secure collaboration platforms and was responsible for strategy as well as implementation leadership of the government’s largest cross-agency identity management solution focused on multifactor auth/authz and identity assurance. He’s also helped AHIP with cybersecurity strategy development for its member insurers and is the author of the “Cybersecurity Risks” and “Conducting Digital Health Risk Assessments” chapters of the 2015 edition of “Insurance and Risk Management Strategies for Physicians and Advisors” book.