Trust No One - Be Warned!

The Log4j debacle has once again brought into focus an old mantra of web development:

Trust no one!

As a developer, you are responsible for the data you retrieve from various sources. Especially for data that comes from a context you can't control.

Then, first of all, for data coming through the Web API, but also for data coming from a database or data coming from the file system.

But if the data .... NO!
But the operating system has validated the data ... NO!
But my users are sweet ... NO!

All data must be validated and it must be ensured that these inputs are not malicious.

And when we talk about data, we mean all kinds of data. That includes metadata like the headers as well as environment variables of the operating system.

You also never know what will happen to the data later (see Log4j).

Anyone who continues to use unverified data is on a path to hell.

Therefore: Validate your data!

You can't trust anyone. You are the developer and you are responsible!

References

• Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack
• Apache Log4j Vulnerability Guidance
• STATEMENT FROM CISA DIRECTOR EASTERLY ON “LOG4J” VULNERABILITY
• lunasec.io/docs/blog/log4j-zero-day/
• issues.apache.org/jira/browse/LOG4J2-905
• Computer security
• CVE-2021-44228