Validation and encoding
Validation is the process of checking input data to ensure
that it is well-formed. A Validation.Required
finding
indicates that no validation occurred along a given data path from
source to sink. Validation can be as simple as bounding the data to
a maximum length and as complex as checking for well-formed names
and addresses. Validation can also check for attacks such as SQL Injection
by detecting illegal character sequences that enable these attacks.
Encoding is the process of transforming the data into a
well-formed state. A Validation.EncodingRequired
finding
indicates that no encoding occurred along a given data path from source
to sink. Encoding could be as simple as escaping characters or as
complex as encrypting the data. Encoding can also prevent attacks
such as Cross-Site Scripting by escaping the characters that lead
to these attacks.
When you first scan, AppScan® Source may identify a finding as a suspect security finding. When you create a validation or encoding routine that applies to a specific source, AppScan® Source for Analysis reports the finding as definitive (instead of suspect) if the specified validation or encoding routine is not called after it receives data from the source.
Assessments track data from known sources throughout a project. If data can be tracked from a known source to a known sink, specified validation and encoding routines can ensure that a malicious attack could not occur with unbounded input data.