|
No. Instead, I recommend that developers code their applications to only allow the required set of characters necessary for the application to function properly. That is an application development best practice.
Many organizations view secure coding as an activity that is supposed to happen at the end of the development process. However, if someone testing an application at the end of the development lifecycle says an application needs recoding to ensure its security, that application will need to be reworked and retested, along with any other application that interacts with it. This constant tweaking is often far more expensive than implementing an iterative security process throughout an application development lifecycle.
If there is a field called "State," for example, there is no reason to allow <, > ;, *, --, or : as possible values. If application developers write code from the perspective of only accepting known good values, it decreases the overall cost of application development by cutting quality assurance and certification and accreditation testing.
For more help, a great framework to use is the Scalable & Agile Lifecycle Security for Applications.
More information:
Video: Security researchers at Information Security Decisions 2008 recently discussed how to keep enterprises safe from cross-site scripting and buffer overflows.
|