It’s commonly accepted that all user-originated inputs are treated as untrusted. Which of the following is least significant to ensure the security of an API’s input data? (Wentz QOTD)
A. Serialization
B. Canonicalization
C. Sanitization
D. Validation
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Serialization.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
When an API receives user-originated inputs, all encoding should be decoded, sanitized (if necessary), canonicalized, and validated. Serialization is a means to transmit or persist objects. Specifically, serialization is the process of transforming one or more instances of memory objects into a format that can be stored or transmitted over the network and reconstructed (deserialized) to the original state. Serialization can be vulnerable; its primary purpose is not to validate user inputs.
The following summary comes from SAFECode:
- Sanitization can involve removing, replacing or encoding unwanted characters or escaping characters.
- Canonicalization is the process for converting data that establishes how these various equivalent forms of data are resolved into a “standard,” “normal” or canonical form. Canonical representation ensures that the various forms of an expression do not bypass any security or filter mechanisms.
- Input after canonicalization should be validated and either accepted or rejected.
Reference
- Fundamental Practices for Secure Software Development (SAFECode)
- Serialization
- Serialization Filtering — Deserialization Vulnerability Protection in Java
人們普遍認為,所有用戶發起的輸入都被視為不受信任。 以下哪項對於確保 API 輸入數據的安全性最不重要? (Wentz QOTD)
A. 序列化 (Serialization)
B. 規範化 (Canonicalization)
C. 消毒 (Sanitization)
D. 驗證 (Validation)
My suggested answer is C
Could you explain your choice, please?
Could you explain your choice please?
I think this question doesn’t really relate to CISSP, but here is my go:
It’s commonly accepted that all user-originated inputs are treated as untrusted. Which of the following is least significant to ensure the security of an API’s input data? (Wentz QOTD)
A. Serialization
B. Canonicalization
C. Sanitization
D. Validation
I would say it’s B – the naming conventions of the API has no meaningful in security and can’t be attacked as function will not see it.
Serialization is important (significant), if using different Serialization function it won’t be able to decode and it can be attacked.
C – Sanitization is very significant, cause you could have all kinds of attacks at the input of the API
D – Validation is important cause the logic vulnerabilities and ensure the inputs of the API
Thank you for your feedback! This question’s key point is “to ensure the security of an API’s input data.” Serialization is not a countermeasure but a source of threats. Canonicalization, sanitization, and validation are technical means to mitigate the risk.