Saw this article from USA Today about security risks from blog feeds. Looks like Bob Auger from SPI Dynamics did some security evaluation of common RSS readers and found a number of flaws due to a lack of validation of the content coming to the readers from various feeds.
When will developers finally internalize the advice that when you get data from an untrusted source (web application user, 3rd party data feed, RFID tag…) you need to make sure that the data is valid before you start processing it? Hopefully soon because until that becomes the rule rather than the exception the security of software is not going to start getting any better.
–Dan
dan _at_ denimgroup.com
Hey Dan,
Great link — I just posted a post about input validation and different approaches at:
http://www.buildingsecurecode.com/2007/04/26/approaches-to-input-validation/
Thanks,
Kevin
—
Kevin Lam
Impacta LLC (http://www.impactalabs.com)
“Risk management solutions working for you”