Hi Stas,

On Thu, Nov 20, 2014 at 10:28 AM, Stanislav Malyshev <smalys...@gmail.com>
wrote:

> > I like this RFC overall. Precise parameter checks is good for security
> > always.
>
> I don't see how it matters for security at all. If you need an int,
> (int) works as well as any proposed check, security-wise. You may want
> different diagnostics, etc. but this doesn't have to do much with
> security. In other words, if the security depends on any differences
> between (int) and to_int, it's probably not done right.


Please refer to CWE/SANS TOP 25, Monster Mitigation especially.

http://cwe.mitre.org/top25/#Mitigations

and ISO 27000. (I cannot provide link to it, since one should buy the
document to read)

Programmer should control over all inputs as the most important security
measure.
There are two strategies in general.

 - Convert inputs to secure values and ignore possible attacks.
(Sanitization)
 - Validate inputs to reject malformed values and record possible attacks.
(Validation and logging)

(int) is sanitization. It works, but it cannot log/detect possible attack
(or bug).

to_int can be used as validation. It has advantage to record possible
attack (or bug). Logging is
one of important security feature. Therefore, validation could be said more
secure than sanitization.

Which strategy to adopt is that depends on organization/application policy.
Public web sites may ignore
invalid inputs due to large amount of attacks while private web sites may
require to record all
possible attacks (or bugs), for example.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to