>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-10Information Input Validation

Moderate
High

>Control Description

Check the validity of the following information inputs: organization-defined information inputs to the system.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SI-10 Requirement: Validate all information inputs and document any exceptions

>Discussion

Checking the valid syntax and semantics of system inputs--including character set, length, numerical range, and acceptable values--verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application.

Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata.

Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

>Cross-Framework Mappings

SCF

TDA-18
Compare

>Programmatic Queries

Beta

Related Services

AWS WAF
API Gateway
AppSync

CLI Commands

List WAF rules for input validation
aws wafv2 list-rule-groups --scope REGIONAL
Check API Gateway request validators
aws apigateway get-request-validators --rest-api-id API_ID
List WAF managed rule groups
aws wafv2 list-available-managed-rule-groups --scope REGIONAL
Check AppSync resolver validation
aws appsync list-resolvers --api-id API_ID --type-name Query
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

SonarQube

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern information input validation?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to information input validation issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What anti-malware solutions are deployed and how are they configured?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-10 is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you show recent malware detection reports and response actions?

Ask AI

Configure your API key to use AI features.