This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Don’t trust services"
Line 2: | Line 2: | ||
{{Template:Stub}} | {{Template:Stub}} | ||
+ | |||
+ | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
+ | |||
<br> | <br> | ||
[[Category:OWASP ASDR Project]] | [[Category:OWASP ASDR Project]] | ||
Line 7: | Line 10: | ||
− | == | + | ==Description== |
Services can refer to any external system. | Services can refer to any external system. | ||
Line 16: | Line 19: | ||
For example, a loyalty program provider provides data that is used by Internet Banking, providing the number of reward points and a small list of potential redemption items. However, the data should be checked to ensure that it is safe to display to end users, and that the reward points are a positive number, and not improbably large. | For example, a loyalty program provider provides data that is used by Internet Banking, providing the number of reward points and a small list of potential redemption items. However, the data should be checked to ensure that it is safe to display to end users, and that the reward points are a positive number, and not improbably large. | ||
+ | |||
+ | ==Examples== | ||
+ | |||
+ | ===Short example name=== | ||
+ | : A short example description, small picture, or sample code with [http://www.site.com links] | ||
+ | |||
+ | ===Short example name=== | ||
+ | : A short example description, small picture, or sample code with [http://www.site.com links] | ||
+ | |||
+ | |||
+ | ==Related [[Vulnerabilities]]== | ||
+ | |||
+ | * [[Vulnerability 1]] | ||
+ | * [[Vulnerabiltiy 2]] | ||
+ | |||
+ | |||
+ | ==Related [[Controls]]== | ||
+ | |||
+ | * [[Controls 1]] | ||
+ | * [[Controls 2]] | ||
+ | |||
+ | |||
+ | ==References== | ||
+ | |||
+ | * http://www.link1.com | ||
+ | * [http://www.link2.com Title for the link2] | ||
+ | |||
+ | |||
+ | When the article is reviewed, the "Honeycomb" category SHOULD be removed and replaced with the "ASDR" category | ||
+ | <nowiki>[[Category:OWASP Honeycomb Project]]</nowiki> | ||
+ | <nowiki>[[Category:OWASP ASDR Project]]</nowiki> | ||
+ | |||
+ | __NOTOC__ | ||
+ | |||
+ | |||
+ | ==Overview== | ||
+ | |||
+ | |||
[[Category:Principle]] | [[Category:Principle]] |
Revision as of 12:34, 7 September 2008
This is a principle or a set of principles. To view all principles, please see the Principle Category page.
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Last revision (mm/dd/yy): 09/7/2008
ASDR Table of Contents
Description
Services can refer to any external system.
Many organizations utilize the processing capabilities of third party partners, who likely have differing security policies and postures than they do. It is unlikely that you can influence or control any external third party, whether they are home users or major suppliers or partners.
Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion.
For example, a loyalty program provider provides data that is used by Internet Banking, providing the number of reward points and a small list of potential redemption items. However, the data should be checked to ensure that it is safe to display to end users, and that the reward points are a positive number, and not improbably large.
Examples
Short example name
- A short example description, small picture, or sample code with links
Short example name
- A short example description, small picture, or sample code with links
Related Vulnerabilities
Related Controls
References
When the article is reviewed, the "Honeycomb" category SHOULD be removed and replaced with the "ASDR" category
[[Category:OWASP Honeycomb Project]]
[[Category:OWASP ASDR Project]]