From 81057197eb96f4cb94db324d7435dd07bd005e0a Mon Sep 17 00:00:00 2001 From: Ben Jones Date: Wed, 9 Oct 2024 12:54:49 +1100 Subject: [PATCH] Update README.md --- .../defensive_data_handling/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.student_resources/defensive_data_handling/README.md b/.student_resources/defensive_data_handling/README.md index 5f15d54..25551b3 100644 --- a/.student_resources/defensive_data_handling/README.md +++ b/.student_resources/defensive_data_handling/README.md @@ -9,20 +9,20 @@ Input validation is a security control where input is checked to be valid data. ## Data sanitisation -Data sanitisation is where data is 'santised' or cleaned for processing or storing. This is the process of replacing any potentially malicious characacters with non processing codes so the text will render as expected but no prcoessing will occur. For example the malicious string **`"';DROP TABLE users"`** when santitised will be stored as **\'\;DROP TABLE users** but will be render as **`';DROP TABLE users'**. +Data sanitisation is where data is 'sanitised' or cleaned for processing or storing. This is the process of replacing any potentially malicious characters with non-processing codes so the text will render as expected, but no processing will occur. For example the malicious string **`"';DROP TABLE users"`** when santitised will be stored as **\'\;DROP TABLE users** but will be render as **`';DROP TABLE users'**. -### Data sanatisation methods +### Data sanitisation methods -- Best practice is to make all strings web safe before storing or processing them using a library like [html](https://docs.python.org/3/library/html.html). -- Content loaded from a JSON file is loaded after all JavaScript has been executed so any malicious code in a JSON will never be executed by the browser.* -- Jinga2 (built into Flask) converts all strings into web safe strings before rendering on the front-end.* +- The best practice is to make all strings web-safe before storing or processing them using a library like [html](https://docs.python.org/3/library/html.html). +- Content loaded from a JSON file is loaded after all JavaScript has been executed, so any malicious code in a JSON will never be executed by the browser.* +- Jinga2 (built into Flask) converts all strings into web-safe strings before rendering on the front end.* \* _These measures are reactive but are still recomended as best pratice in the situation that malicious code bypasses all defensive measures._ ## Exception Handling -Exception handling is essential in defensive data handing as a malicious user may attempt to exploit the application by providing it with invalid input to attempt to trigger an vulnerability. Whilst simple boolean analysis is the minimum. Students should be familiar with [Python exception handling](https://docs.python.org/3/tutorial/errors.html) specifically the [try](https://docs.python.org/3/reference/compound_stmts.html#try) statement. The Backend data validation with [regular expressions, REGEXR and binary selection](data_handler.py) provides a detailed example of this applied to defensive data handing. +Exception handling is essential in defensive data handling as a malicious user may attempt to exploit the application by providing it with invalid input to attempt to trigger a vulnerability. While simple boolean analysis is the minimum. Students should be familiar with [Python exception handling](https://docs.python.org/3/tutorial/errors.html), specifically the [try](https://docs.python.org/3/reference/compound_stmts.html#try) statement. The Backend data validation with [regular expressions, REGEXR and binary selection](data_handler.py) provides a detailed example of this applied to defensive data handing. ## Logging -Developing and implementing logging as part of defensive data handling improves a developers chances of detecting malicious behaviour. A log entry should be made with every error, exception or unexpected behaviour and it should include sufecient detailed of the event to allow improvememnt of data handling practices. A developer and their organisation should include cyclical log reviews as part of the sofwtare development lifecycle. Note: [logging is recomended as best pratice by the The Australian Signals Directorate's Australian Cyber Security Centre](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/best-practices-event-logging-threat-detection). +Developing and implementing logging as part of defensive data handling improves a developer's chances of detecting malicious behaviour. A log entry should be made with every error, exception or unexpected behaviour, and it should include sufficient details of the event to allow for improvement of data handling practices. A developer and their organisation should include cyclical log reviews as part of the software development lifecycle. Note: [logging is recommended as best practice by the Australian Signals Directorate's Australian Cyber Security Centre](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/best-practices-event-logging-threat-detection).