https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61677#M4020 <P>Garbage in/Garbage out.<BR /><BR />If you can control what goes into a system, process, storage, function, programme and limit it to correct content/format/you know lineage/it’s traceable you can do a whole lot. But if your not geared for it it’s expensive…<BR /><BR />Privacy world data flow mapping is a good example.<BR /><BR />Network storage scan what you put in for malware, scan what you take out. clean pipe.<BR /><BR />APIs that really control what they accept will stop you getting badly formatted cruft.<BR /><BR />You might consider looking at the Biba model which prevents an entity writing to a higher level than allowed to preserve integrity of information at that level / it’s not the same thing but introns where IO can go.</P><P>&nbsp;</P><P>in all cases you’re hoping to control wat good in and what comes out based on classification, type, source, destination - really good example is having applications generate their own SQL queries on the fly so you can cut injection etc off at the source.</P> Tue, 15 Aug 2023 05:44:44 GMT Early_Adopter 2023-08-15T05:44:44Z https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61663#M4019 <P>Hi all,</P><P>&nbsp;</P><P>why is output and input controls useful to mitigate data contamination?</P><P>&nbsp;</P><P>From my point of view it has to do something with throughput. So only statement was to mitigate data&nbsp;<SPAN>throughput.</SPAN></P><P>&nbsp;</P><P><SPAN>Have someone an idea why it mitigate data contamination.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P><SPAN>OliLue</SPAN></P> Mon, 14 Aug 2023 20:28:28 GMT https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61663#M4019 OliLue 2023-08-14T20:28:28Z https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61677#M4020 <P>Garbage in/Garbage out.<BR /><BR />If you can control what goes into a system, process, storage, function, programme and limit it to correct content/format/you know lineage/it’s traceable you can do a whole lot. But if your not geared for it it’s expensive…<BR /><BR />Privacy world data flow mapping is a good example.<BR /><BR />Network storage scan what you put in for malware, scan what you take out. clean pipe.<BR /><BR />APIs that really control what they accept will stop you getting badly formatted cruft.<BR /><BR />You might consider looking at the Biba model which prevents an entity writing to a higher level than allowed to preserve integrity of information at that level / it’s not the same thing but introns where IO can go.</P><P>&nbsp;</P><P>in all cases you’re hoping to control wat good in and what comes out based on classification, type, source, destination - really good example is having applications generate their own SQL queries on the fly so you can cut injection etc off at the source.</P> Tue, 15 Aug 2023 05:44:44 GMT https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61677#M4020 Early_Adopter 2023-08-15T05:44:44Z https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61695#M4022 <P>If you examine the OWASP top 10 or SANS top 25 vulnerabilities you'll find some of the common vulnerabilities relate to systems accepting unsanitised input i.e. XSS, SQL injection.&nbsp; Also have a look at Mitre CWE 20.&nbsp; Data can be parsed as code very easily.</P><P>&nbsp;</P><P>In terms of output validation it's always a good idea that there are reasonableness checks of values i.e. is it reasonable that I'm paying several million to a small supplier or individual?&nbsp; Is the data in a field even of the correct format or data type or am I pushing the challenge of validation to a downstream system, which may itself omit any sort of validation.&nbsp;</P> Tue, 15 Aug 2023 15:05:03 GMT https://community.isc2.org/t5/Tech-Talk/Output-and-input-control/m-p/61695#M4022 Steve-Wilme 2023-08-15T15:05:03Z