Original Post: How to make “Input validation” easy for your devs | by Mohamed AboElKheir | AppSec Untangled | Jul, 2024
The article emphasizes the importance of input validation as a key security measure to protect web applications from various attacks, such as SQL injection and command injection. Input validation ensures that only valid data reaches critical parts of an application, reducing the risk of malicious activities.
The article outlines several sources of input for applications, including request headers, cookies, GET parameters, route parameters, and the request body. It describes common validation techniques such as lists of allowed values, specific patterns, and maximum lengths with permitted characters.
Despite its importance, input validation is often overlooked by developers who prioritize functional logic over security. To address this, the article suggests that security engineers should streamline the implementation of input validation, making it easier for developers. One approach is to create middleware that integrates validation logic and specifies the handling of invalid inputs, thus reducing friction for developers.
An example using Node.js and Express framework demonstrates how to implement such middleware with the Joi validation library. This middleware validates various parts of requests (body, headers, cookies, etc.) and returns error messages for invalid inputs.
Additionally, the article recommends using tools like Semgrep to audit the usage of middleware across routes, ensuring comprehensive implementation. By engaging with development teams and security champions, organizations can develop tailored, easy-to-use solutions that enhance security while reducing the burden on developers.
Go here to read the Original Post