Elias, How about the "Known State Principle", we only respond in 'known' ways to input, all other input id discarded. Regards, George Milliken, CEO farm9.com, Inc. -- gmillikenat_private 24x7 Intrusion Prevention & Incident Response http://www.farm9.com 24x7 Log Consolidation & Managed IDS SOC : 510-835-3276 x253 cell: 510-913-8850 fax: 925-376-5907 ================================================== SANS Network Security 2001 San Diego, CA Oct 15-22 ================================================== -----Original Message----- From: aleph1at_private [mailto:aleph1at_private] Sent: Tuesday, June 26, 2001 11:23 AM To: secprogat_private Subject: Principle of Inclusion? We have all heard the old security principle of not filtering out known bad input but filtering in known good input, but I've never heard it "named" like we name the "principle of least privilege". Do you know of any such name? I am thinking of simply christening the principle of inclusion. I am defining it as: The principle of inclusion tells us that when performing input validation for security purposes we should not define what is considered invalid input and refuse any input that matches this definition, since our definition of what is invalid may not be complete, and that instead we should define what is considered valid input and refuse any input that does not match this definition. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 09:26:10 PDT