From the course: Threat Modeling: Denial of Service and Elevation of Privilege

Unlock the full course today

Join today to access over 22,400 courses taught by industry experts or purchase this course individually.

Validation not sanitization for defense

Validation not sanitization for defense

From the course: Threat Modeling: Denial of Service and Elevation of Privilege

Start my 1-month free trial

Validation not sanitization for defense

- [Instructor] What's the difference between validation and sanitization? Sanitization is a lovely goal when you want to preserve the thing you're sanitizing. But let's be frank, input from the internet can be garbage. You don't want to sanitize garbage. You want to throw it away and tell the center why you threw it away. This is somewhat less obviously true in the era of cloud services but Kerckhoff's principle still applies. The security of a system cannot rely on anything not easily changed. And we were just talking about how hard it can be to change a parser. So don't rely on security through obscurity. If you're telling the sender why you threw it away and they keep coming back with improved variants of their attack, you might want to track how far they're getting and maybe even fix the parser to be smarter about where they're going. If you track your errors, you can be confident that you're improving…

Contents