ORM validation

@EoinKeary got me thinking about data validation again, in particular the security implications of relying on data val in the ORM tier when numerous attacks can be performed on the presentation and middle tiers before hitting ORM. I still prefer the approach of only defining data validation rules in one place, and that place should be as close to the data as possible – so hibernate or JPA annotations make a lot of sense.

So how do you validate data for the tiers further up the stack?

Defining data validation rules in two places violates the DRY principal and is going to be error prone. Furthermore, it makes the code less modular because you’d need to redefine the data val rules every time you add another interface to the application.

A number of web frameworks provide a more elegant solution: Define the data validation rules in the model objects (ORM tier), but validate them whenever you like, e.g. in the web tier when first performing data binding. Some examples:

JBoss Seam: http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html/validation.html
Grails: http://www.grails.org/doc/latest/guide/validation.html

HTTP Fingerprinting tool

A promising HTTP fingerprinting tool: http://useofwords.blogspot.com/2009/11/introducing-htrosbif.html

PCI scoring contradiction

Risk ratings in a PCI security assessment are directly based on CVSS v2 scores, here’s an extract from CVSS v2 scoring guide:

SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user’s system could be much greater than the impact to the target host. However, this is an indirect impact. Cross-site scripting vulnerabilities should be scored with no impact to confidentiality or availability, and partial impact to integrity.

This seems to contradict the objectives of PCI which is to secure card holder data. Whether or not this requires 0wning a server is irrelevant. And with XSS you can obviously compromise card holder data without having to compromise any servers. Go figure.

• 
  

• About

  Secure and robust software doesn’t have to be an utopian ideal. By treating security as a first class business requirement during the initial design, implementation and testing phases, software can be secure by default.

• Recently Written

  • How to install Arachni on Mac OS X Lion
  • ORM validation
  • HTTP Fingerprinting tool
  • Security Gap Analysis of Struts2
  • PCI scoring contradiction
  • Digg like security news site
  • Seam Remoting’s default allow
  • Integrating security into QA testing
  • Security Testing with Watij
  • Defining security requirements

• Categories

  • Design
  • frameworks
  • News
  • Testing
  • Uncategorized

• Archives

  • January 2012
  • November 2009
  • May 2009
  • April 2009
  • September 2008
  • February 2008
  • January 2008

• Blogroll

  • Adam Boulton’s blog
  • Build Security In
  • Corsaire
  • OWASP
  • Security Pundit
  • Test Driven

• Admin

  • Register
  • Log in