Hi Stas, On Fri, Nov 21, 2014 at 1:54 AM, Stas Malyshev <smalys...@gmail.com> wrote:
> > Please refer to CWE/SANS TOP 25, Monster Mitigation especially. > > > > http://cwe.mitre.org/top25/#Mitigations > > > > and ISO 27000. (I cannot provide link to it, since one should buy the > > document to read) > > Could you please be more specific about how this relevant to this > specific case? "But an ISO standard and read it whole" is not exactly a > good argument discussing specific issue. > I don't insist to read whole ISO 27000 standard. However, it is important to agree "security" definition at least. Otherwise, one says "it's security" and other says "it's not security". Once there is agreement for security definition what is security is not important. What is important is "is it effective to achieve better security". > > to_int can be used as validation. It has advantage to record possible > > > attack (or bug). Logging is > > one of important security feature. Therefore, validation could be said > > more secure than sanitization. > > This is just your personal opinion. Logging is not a security feature, > and if it were, it could be established independently, and should be > anyway since to_* log nothing. So claiming to_* is a security feature is > just wrong - it's like saying fopen() is a security feature because you > could use it to open a log file to which you'd write security-relevant > data. > It's your personal opinion. ISO 27000 (and ISMS) requires to treat accounting (logging) as security feature. The standard defines 3 major area of security, confidentiality, integrity, availability. It also adds, reliability, authenticity and accountability. This is not my own opinion. > Which strategy to adopt is that depends on organization/application > > policy. Public web sites may ignore > > This is right. So your claim that one is more secure than the other is > not correct. > We need to close look at the detail. - Validation is better than sanitization for accounting. - Validation generates too many log that may cause DoS (e.g. disk full by log, etc), may disturb administrator who checks security logs. Validation (and logging) is better for accounting for sure. However, the log generated by validation may do harm than good depending on situation. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
