Data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices shall be validated.
Systems can be subverted by incorrectly formatted data or code transferred across different types of interface. Automated tools are often employed by attackers in order to exploit potential gaps and weaknesses that emerge as a result of not validating data. Examples include, but are not limited to, data that is:
i) Not of the expected type, for example executable code rather than user inputted text.
ii) Out of range, for example a temperature value which is beyond the limits of a sensor.
Primarily Applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers