It’s commonly accepted that all user-originated inputs are treated as untrusted. Which of the following is least significant to ensure the security of an API’s input data? (Wentz QOTD)
A. Serialization
B. Canonicalization
C. Sanitization
D. Validation
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Serialization.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
When an API receives user-originated inputs, all encoding should be decoded, sanitized (if necessary), canonicalized, and validated. Serialization is a means to transmit or persist objects. Specifically, serialization is the process of transforming one or more instances of memory objects into a format that can be stored or transmitted over the network and reconstructed (deserialized) to the original state. Serialization can be vulnerable; its primary purpose is not to validate user inputs.
The following summary comes from SAFECode:
- Sanitization can involve removing, replacing or encoding unwanted characters or escaping characters.
- Canonicalization is the process for converting data that establishes how these various equivalent forms of data are resolved into a “standard,” “normal” or canonical form. Canonical representation ensures that the various forms of an expression do not bypass any security or filter mechanisms.
- Input after canonicalization should be validated and either accepted or rejected.
Reference
- Fundamental Practices for Secure Software Development (SAFECode)
- Serialization
- Serialization Filtering — Deserialization Vulnerability Protection in Java
人們普遍認為,所有用戶發起的輸入都被視為不受信任。 以下哪項對於確保 API 輸入數據的安全性最不重要? (Wentz QOTD)
A. 序列化 (Serialization)
B. 規範化 (Canonicalization)
C. 消毒 (Sanitization)
D. 驗證 (Validation)
My suggested answer is C
Could you explain your choice, please?
Could you explain your choice please?