Input Validation and Blog Feeds

Saw this article from USA Today about security risks from blog feeds.  Looks like Bob Auger from SPI Dynamics did some security evaluation of common RSS readers and found a number of flaws due to a lack of validation of the content coming to the readers from various feeds.

When will developers finally internalize the advice that when you get data from an untrusted source (web application user, 3rd party data feed, RFID tag…) you need to make sure that the data is valid before you start processing it?  Hopefully soon because until that becomes the rule rather than the exception the security of software is not going to start getting any better.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Input Validation and Blog Feeds”

Leave a Reply

Your email address will not be published. Required fields are marked *