Trust Boundary Violation while combining Application cache with session data

Question

I have requirement to get application cache object => session object, modify it and use it. While everything works fine, I am receiving the Trust Boundary Violation threat from Fortify (for more info) https://www.fortify.com/vulncat/en/vulncat/sql/trust_boundary_violation.html.

Any ideas on how to fix this?

Answer 1

Trust Boundary Violation is not often a simple thing to fix. TO really understand this, you need to confer with your security auditor and your architect and determine what is the trust boundary. To do this, draw a logical architecture of your application, including the cache, the end user and all the other systems the application needs to interface with.

Then, draw a dotted line around the part of the application that needs to be protected. Everything inside this line is stuff that you do not have to check... it's all data that, presumably was created by you the developer, or else it was scrubbed by your input validation function and you are sure it is only the kind of data you expect. (See https://www.owasp.org/index.php/Data_Validation)

Now, where is the cache?

1. If it's inside the trust boundary, then this Trust Boundary Violation is a false positive and you can create a filter so that if the source comes from that file or package, the issue will be hidden. Your filter would look something like this:

   category:"trust boundary violation" package:com.example.mycachepackage

   or

   category:"trust boundary violation" file:MyCacheObject.java

2. If the cache is outside the trust boundary, then the assumption is that the attacker may use the cache as a mechanism to attack your program or users. Then you have to check all the data every time you put data into the cache or take anything out of the cache.

Once you've defined the validation function(s) for the cache mechanism, your security auditor or Fortify consultant will write a custom validation rule that will make all the fixed issues disappear.