Guideline: Build to not trust endpoint input and servicesPart of: Development Security Guidelines
Overview: Building a set of Guidelines for Security and Privacy
This guideline is all about trust. Anything can be trusted, and in some cases such trust needs to be validated beforehand. Input from sources you do not control needs to be validated before trusted.
In essence, just like the positive security model, it is all about input validation. But where the positive security model focuses more on the security controls itself, this principle focuses on the data.
Due to compute power and memory processing it is wise to make informed decisions about whether or not to apply input validation wherever data is being processed. Only make sure that whenever data is coming from users, browsers, apps, services and APIs or any other non-controlled endpoint for that matter, that the data has been validated. And this validation can vary from making sure a date is really a date to that of free text input is being stripped from any scripting-languages.
More information from OWASP about a Don’t trust user input and Don't trust services.
More information from Teusink.eu about Input Validation for Web-applications.