The Developer's take on Input Validation

I have a bunch of friends working in some of the most coveted Software Development companies in India. I met some of them in a coffee shop recently and we got talking about work (which is, unfortunately the only thing all of us for more than 12 hours a day). They were all working on a Relationship Management Application (web interface) which they were designing for a major European Bank. This Relationship Management Application facilitated the Bank's relationship managers to build stronger relationships with clients who were High Net Worth Individuals and keep them marveling at the bank's efficiency and Customer friendliness.

This application allows the bank's relationship managers to go over the client's account information. They have access to a client's transactions, his family information and other personal records as well. (I guess, by now, you can see where I am going with this)

Shamefully, I put my Security Hat on! ( I was in a coffee house with some friends!!), and I started to go "Auditor" on my buddies. I asked them what they were doing to validate data. The answer they gave me was this. "You see, this is not an Internet facing Application, the users of this application are the bank's staff. Why the hell would they enter some nonsense input like a '*' or a '<'. There is no real need to have this validation done, because it is a waste of time and more importantly, serious billing hours for us, because this is a Fixed Cost project and we had to deliver this application pretty quickly". For some of you who are not aware of a "Fixed Cost project", it means that this project is one where the cost of the project is fixed regardless of the amount of time and effort which is put in by the Software Development company undertaking this project. One more clue to this puzzle has been given, as you can see, the Software Development company my friends are working for doesn't really want to go beyond the scope of work and work out some validation routines for this app.

The next thing I asked them was whether their client had not asked them for validations to be built in as part of the application. They said that the client only required some basic client-side validation (which checks for if a field is empty or not) and that was that. Another clue in this relatively simple case my friends. There is only Client Side Validation and that too, a simple one!!

I did not display my shock that day to my friends sitting there with me and enjoying a nice cuppa, but I am shocked enough to say the following:

1. 61% of respondents think data leakage is an insider’s job. 23% believe those leaks are malicious. - McAfee and Datamonitor’s Data Loss Survey, 2007


2. When people are accessing client data worth millions of dollars, they better make sure that they validate inputs for more than checks for "empty fields".


3. Insiders have detailed information and a data leak from the inside can be debilitating for a company.
   


4. 'Cause you don't have to be a "Super-Hacker" to steal info from an application which validates input this way. Any insider with some basic HTML and Javascript knowledge can game this app.
   


5. When you are outsourcing application development, ensure that Security is your primary concern. Especially when you are a large Bank and when there is a data-leakage, you will probably lose all the customers you are trying to keep the happiest.
   


6. A Note to Software Development Companies: Your reputation will also be in the swamp if you allow your applications to have such issues. Validate input, it is not that difficult or expensive. It is much less expensive than a loss of credibility and reputation.