You don’t need to be a technical resource on a project to realize the significance between an application’s success and its security. You also don’t need to be a technical contributor to understand how much untrusted data plays a role in a large swath of the most serious web security risks, from cross-site scripting to SQL injection and beyond.
However, like a needle in a haystack, it’s one thing to know it's there and another to know how to find it. Here are 3 rules to help programmers, quality control engineers, project leads, managers and their teams identify their applications' untrusted data.
Identifying Untrusted Data
It’s very easy to assume you know how to identify untrusted data. For the most part, it’s definitely any information that someone submits to your application... right? Or is it? I’m going to ask you a few questions and see how you fare when it comes to determining if certain information should be trusted or not. I’ll throw up a softball to start...