Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:79054
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32803 invoked from network); 20 Nov 2014 23:07:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Nov 2014 23:07:08 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.175 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.223.175 mail-ie0-f175.google.com  
Received: from [209.85.223.175] ([209.85.223.175:56001] helo=mail-ie0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 62/00-32541-A147E645 for <internals@lists.php.net>; Thu, 20 Nov 2014 18:07:07 -0500
Received: by mail-ie0-f175.google.com with SMTP id at20so3738387iec.6
        for <internals@lists.php.net>; Thu, 20 Nov 2014 15:07:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=IE7w/Lytos0NoJAt+D0acF/QkGFFRw3gbydM3RYoqiw=;
        b=UZ6OYUfr75xomerz2Tz/U/kMOUaM0uApYja8sojXDoP+B+JagiOU/NzSCpse+ETbkB
         bPU5bYZ6rmnmhIPUr1l38GeNY7+OXwy93Ts6CigwH6Quj/ugiOvilTl/ly0vunD1rayc
         JOynXXKFUXUHQH2zEmS/FokAV/zMjE2gfV41oC1uT574qh35Dlakwl9lvRWUaKLX/BQI
         cpLATZBcbJArtrv6Me4EEbf+ntAH/P4DhZnCIn7FMBqshbvifOa+JZDxsG6UWyElVSx6
         2jc4htGP0vSQ7CSDRBrJvPlVMiNFFArLiTPyYPv5++cZcFewV4M4QU1KOizNYGcOcDn5
         1xWw==
X-Received: by 10.107.30.68 with SMTP id e65mr1000196ioe.9.1416524823512; Thu,
 20 Nov 2014 15:07:03 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.107.164.217 with HTTP; Thu, 20 Nov 2014 15:06:23 -0800 (PST)
In-Reply-To: <CADR=R-grjMrJupAQ3GL+2L3_1gOto9ORJQR2X47jCoPTYJypNw@mail.gmail.com>
References: <66B7B28C-2651-4A71-AC2A-55D4C7BB3DDC@ajf.me> <CAGa2bXY4P9dP6rB0-hZ9E5=ALQv+04s157BtwyF7_N3VZV8igA@mail.gmail.com>
 <546D43B3.60708@gmail.com> <CAGa2bXZE9u+nWz2ebdxhMWSnLxheyMcbFGYRy63a9M6Sz6hfXA@mail.gmail.com>
 <CADR=R-grjMrJupAQ3GL+2L3_1gOto9ORJQR2X47jCoPTYJypNw@mail.gmail.com>
Date: Fri, 21 Nov 2014 08:06:23 +0900
X-Google-Sender-Auth: yzvQmo8Zx7OqmgrR8VOVWuPK0lc
Message-ID: <CAGa2bXYiVrwsSf9Uj61ZPWP2uM_ENVtqTHb4m32OZuyJ0MsRjw@mail.gmail.com>
To: Stas Malyshev <smalyshev@gmail.com>
Cc: Andrea Faulds <ajf@ajf.me>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1140f4acec075f050852627b
Subject: Re: [PHP-DEV] [RFC] Safe Casting Functions
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1140f4acec075f050852627b
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Fri, Nov 21, 2014 at 1:54 AM, Stas Malyshev <smalyshev@gmail.com> wrote:

> > Please refer to CWE/SANS TOP 25, Monster Mitigation especially.
> >
> > http://cwe.mitre.org/top25/#Mitigations
> >
> > and ISO 27000. (I cannot provide link to it, since one should buy the
> > document to read)
>
> Could you please be more specific about how this relevant to this
> specific case? "But an ISO standard and read it whole" is not exactly a
> good argument discussing specific issue.
>
I don't insist to read whole ISO 27000 standard.  However, it is important
to agree
"security" definition at least. Otherwise,  one says "it's security" and
other says
"it's not security".

Once there is agreement for security definition what is security is not
important.
What is important is "is it effective to achieve better security".


> > to_int can be used as validation. It has advantage to record possible
>
> > attack (or bug). Logging is
> > one of important security feature. Therefore, validation could be said
> > more secure than sanitization.
>
> This is just your personal opinion. Logging is not a security feature,
> and if it were, it could be established independently, and should be
> anyway since to_* log nothing. So claiming to_* is a security feature is
> just wrong - it's like saying fopen() is a security feature because you
> could use it to open a log file to which you'd write security-relevant
> data.
>
It's your personal opinion. ISO 27000 (and ISMS) requires to treat
accounting
(logging) as security feature. The standard defines 3 major area of
security,
confidentiality, integrity, availability. It also adds, reliability,
authenticity and
accountability. This is not my own opinion.

> Which strategy to adopt is that depends on organization/application
> > policy. Public web sites may ignore
>
> This is right. So your claim that one is more secure than the other is
> not correct.
>
We need to close look at the detail.

 - Validation is better than sanitization for accounting.
 - Validation generates too many log that may cause DoS (e.g. disk full by
   log, etc), may disturb administrator who checks security logs.

Validation (and logging) is better for accounting for sure. However, the log
generated by validation may do harm than good depending on situation.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1140f4acec075f050852627b--