Which secure coding best practice says to assume all incoming data should be considered untrusted...

The secure coding best practice that emphasizes treating all incoming data as untrusted and subjecting it to validation is known as input validation. This practice is crucial for ensuring that a system only processes valid, clean data, thereby preventing many types of vulnerabilities, such as SQL injection, cross-site scripting (XSS), and buffer overflows, which can arise from maliciously crafted inputs.

Input validation involves verifying that the data meets certain criteria before it is processed by the system. This includes checking for the correct data type, length, format, and range. It also involves sanitizing the data to ensure that it does not contain any potentially harmful elements that could lead to security breaches.

A centralized input validation routine is recommended for the entire application, which helps in maintaining consistency and effectiveness in the validation process. This routine should be implemented on a trusted system, typically server-side, to prevent tampering or bypassing of the validation logic.

It’s important to classify all data sources into trusted and untrusted categories and to apply rigorous validation to all data from untrusted sources, such as user input, databases, file streams, and network interfaces.

By adhering to the input validation best practice, developers can significantly reduce the attack surface of their applications and protect against a wide array of common security threats.