All variable information that gets sent by a client is filtered and sanitized before being processed in the application. The same applies to user-selected output that is presented back to users. This avoids any unintentional side-effect of processed data.
Specification
Any input and output will adhere to the concept of ‘do not trust user in/output’. Normalisation, validation, and limitation should be applied during input and output
Any data entered by the user or processed as result of earlier entry should be handled in such a way it can’t cause any side-effects in the application.
In web application programming this means avoiding sql-injection, cross-site scripting and any other influence on the application or on the presentation to the user. This should be validated using vulnerability scanners.
In network traffic handling this means avoiding any side-effects or even crashes such as ping-of-death or other attacks on network stacks.
This also applies to third-party software used in data processing which must be updated when vulnerabilities are found.
ISO 27001 & 27002:2022
8.1,
A5.8,
A8.25,
A8.26,
A8.27,
A8.28,
A8.29,
A8.31,
A8.30,
A8.32
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SD.01 Methodology for secure development and implementation of software