eXpress badging® enforces strict input validation, sanitization, and encoding controls across the Veonics® Portal to protect against injection, data corruption, and malware.
⌨️ All practices are aligned with OWASP Recommendations (Open Worldwide Application Security Project) and NIST CSF 2.0.
🖥️ Client-Side Validation
Q: Do you rely on client-side validation?
-
Answer: No
-
Client-side validation (e.g., browser JavaScript checks) is used only for usability improvements, not as a security control.
-
All security validation is enforced server-side.
🖧 Server-Side Validation
Q: Do you perform server-side validation on all entry points of the application?
-
Answer: Yes
-
All user input is validated on the server before being processed or stored.
-
This includes form fields, API requests, and file uploads.
📄 Supporting Documentation: Veonics Portal Cybersecurity & Compliance Overview
🔄 Centralized Input Validation
Q: Is there a centralized approach for input validation?
-
Answer: Yes
-
The Veonics® Portal uses centralized validation libraries to enforce consistent rules across all entry points.
-
Ensures uniform handling of text fields, numeric inputs, and special characters.
🚫 Input Filtering
Q: Do you perform input filtering for known bad data that can cause faults or unexpected behavior?
-
Answer: Yes
-
Input filters reject SQL injection attempts, malformed HTML/JS, and invalid character sets.
-
Filters are updated regularly in line with OWASP top 10 threats.
-
Example:
<script>
tags and SQL operators are stripped or escaped before processing.
📄 Supporting Documentation: Application Development & Maintenance Policy
🔐 Input/Output Encoding
Q: Do you perform input/output encoding?
-
Answer: Yes
-
Data displayed back to users is HTML encoded to prevent cross-site scripting (XSS).
-
Output encoding is enforced on all web-facing fields.
🗄️ Parameterized Queries
Q: Do you use parameterized queries or stored procedures for database access?
-
Answer: Yes
-
All database access uses parameterized queries to prevent SQL injection.
-
Direct concatenation of user inputs is prohibited.
📄 Supporting Documentation: The Veonics Portal History & System Architecture
📂 File Upload Restrictions
Q: If the web application allows file uploads, do you limit extensions and scan files?
-
Answer: Yes
-
Allowed extensions: .jpg, .jpeg, .png, .gif (photo uploads only).
-
All uploaded files undergo virus/malware scanning before being accepted.
-
Metadata is validated to confirm the file matches its extension (no disguised executables).
📄 Supporting Documentation: How to Securely Transfer ID Badge Project Files Using the Upload Center
📊 NIST CSF 2.0 Alignment
Function | Example Practice |
---|---|
Protect (PR) | Centralized input validation, parameterized queries |
Detect (DE) | Filtering of known malicious input |
Respond (RS) | Logs and alerts for rejected payloads |
Recover (RC) | Continuous OWASP-aligned updates |
Last Update: 9/1/2025