Guideline: Build a positive security modelPart of: Development Security Guidelines
Overview: Building a set of Guidelines for Security and Privacy
This guideline is about things like input validation. When building systems it is wise to think about whether or not you can predict or define certain values that should be allowed. If this is possible, defining a positive security model (or a whitelist) is the most secure way to go. This can be done implicit or explicit.
An example of explicit whitelisting is that, in regard to a date-field, only the value 01/01/1980 is allowed. An example of implicit whitelist is that, again in regard to a date-field, the value needs to comply to the format mm/dd/yyyy. The whitelisting is that the value still has to be a date, but any date will suffice.
Positive security models can also be about allowing specific behavior patterns in applications or websites. It is thus all about defining what may be allowed and ignore the rest.
More information from OWASP about a Positive security model.
More information from Teusink.eu about Input Validation for Web-applications.