Validation and encoding

Validation is the process of checking input data to ensure that it is well-formed. A Validation.Required finding indicates that no validation occurred along a given data path from source to sink. Validation can be as simple as bounding the data to a maximum length and as complex as checking for well-formed names and addresses. Validation can also check for attacks such as SQL Injection by detecting illegal character sequences that enable these attacks.

Encoding is the process of transforming the data into a well-formed state. A Validation.EncodingRequired finding indicates that no encoding occurred along a given data path from source to sink. Encoding could be as simple as escaping characters or as complex as encrypting the data. Encoding can also prevent attacks such as Cross-Site Scripting by escaping the characters that lead to these attacks.

When you first scan, AppScan® Source may identify a finding as a suspect security finding. When you create a validation or encoding routine that applies to a specific source, AppScan Source for Analysis reports the finding as definitive (instead of suspect) if the specified validation or encoding routine is not called after it receives data from the source.

Assessments track data from known sources throughout a project. If data can be tracked from a known source to a known sink, specified validation and encoding routines can ensure that a malicious attack could not occur with unbounded input data.