{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T13:10:12Z","timestamp":1741785012282,"version":"3.38.0"},"reference-count":28,"publisher":"Springer Science and Business Media LLC","issue":"1-2","license":[{"start":{"date-parts":[[2023,4,19]],"date-time":"2023-04-19T00:00:00Z","timestamp":1681862400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,4,19]],"date-time":"2023-04-19T00:00:00Z","timestamp":1681862400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"University Of South-Eastern Norway"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Wireless Pers Commun"],"published-print":{"date-parts":[[2025,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>The on-going digitalization of our critical infrastructures is progressing fast. There is also a growing trend of serious and disrupting cyber-attacks. The digital services are often fragile, and with many weaknesses and vulnerabilities. This makes exploiting and attacking the services a little too easy. If the services verifies all inputs, many security threats will be avoided. Similarly, if one diligently tests the services with malformed inputs, one will uncover many security and software quality problems. In this paper we investigate \u201cinput validation\u201d and \u201cfuzz testing\u201d as a means to improve security. The aim is not exhaustive coverage, but to provide indications of usefulness and to serve as a call for action.<\/jats:p>","DOI":"10.1007\/s11277-023-10431-2","type":"journal-article","created":{"date-parts":[[2023,4,19]],"date-time":"2023-04-19T17:02:34Z","timestamp":1681923754000},"page":"25-37","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["A Call for Mandatory Input Validation and Fuzz Testing"],"prefix":"10.1007","volume":"140","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7363-0076","authenticated-orcid":false,"given":"Geir M.","family":"K\u00f8ien","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lasse","family":"\u00d8verlier","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,4,19]]},"reference":[{"issue":"6","key":"10431_CR1","doi-asserted-by":"publisher","first-page":"678","DOI":"10.1145\/63526.63527","volume":"32","author":"EH Spafford","year":"1989","unstructured":"Spafford, E. H. (1989). Crisis and aftermath. Communications of the ACM, 32(6), 678\u2013687.","journal-title":"Communications of the ACM"},{"issue":"49","key":"10431_CR2","first-page":"14","volume":"7","author":"Aleph One","year":"1996","unstructured":"One, Aleph. (1996). Smashing the stack for fun and profit. Phrack Magazine, 7(49), 14\u201316.","journal-title":"Phrack Magazine"},{"key":"10431_CR3","doi-asserted-by":"publisher","first-page":"6702","DOI":"10.3390\/app12136702","volume":"12","author":"MA Butt","year":"2022","unstructured":"Butt, M. A., Ajmal, Z., Khan, Z. I., Idrees, M., & Javed, Y. (2022). An in-depth survey of bypassing buffer overflow mitigation techniques. Applied Sciences, 12, 6702.","journal-title":"Applied Sciences"},{"key":"10431_CR4","volume-title":"State-of-the-art survey on web vulnerabilities, threat vectors, and countermeasures, 3\u201317","author":"J Kaur","year":"2022","unstructured":"Kaur, J., & Garg, U. (2022). State-of-the-art survey on web vulnerabilities, threat vectors, and countermeasures, 3\u201317. Springer Singapore."},{"key":"10431_CR5","unstructured":"Di Zio, M., et\u00a0al. (2016). Methodology for data validation 1.0. Essnet Validat Foundation."},{"issue":"12","key":"10431_CR6","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1145\/96267.96279","volume":"33","author":"BP Miller","year":"1990","unstructured":"Miller, B. P., Fredriksen, L., & So, B. (1990). An empirical study of the reliability of unix utilities. Communications of the ACM, 33(12), 32\u201344.","journal-title":"Communications of the ACM"},{"key":"10431_CR7","unstructured":"Godefroid, P., Levin, M. Y., & Molnar, D. A. (2008). Automated whitebox fuzz testing, 8, 151\u2013166."},{"key":"#cr-split#-10431_CR8.1","unstructured":"Naur, P., & (eds), B. R. (1968). Software Engineering"},{"key":"#cr-split#-10431_CR8.2","unstructured":"Report on a conference sponsored by the NATO SCIENCE COMMITTEE (07-11 October 1968. Report, NATO Scientific Committee, Garmisch, Germany."},{"key":"10431_CR9","unstructured":"van der Stock, A., Glas, B., Smithline, N., & Gigler, T. (2021). OWASP Top 10 - 2021. https:\/\/owasp.org\/Top10\/."},{"key":"10431_CR10","unstructured":"Saad, E., & Mitchell, R. (2020). OWASP Web Security Testing Guide; Version 4.2. OWASP Webpage."},{"key":"10431_CR11","doi-asserted-by":"crossref","unstructured":"Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture. Special Publication 800-207, NIST. https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final.","DOI":"10.6028\/NIST.SP.800-207-draft2"},{"key":"10431_CR12","unstructured":"Greenberg, A. (2018) . The untold story of notpetya, the most devastating cyberattack in history. Wired 22 ."},{"key":"10431_CR13","volume-title":"Skin in the game: Hidden asymmetries in daily life","author":"NN Taleb","year":"2018","unstructured":"Taleb, N. N. (2018). Skin in the game: Hidden asymmetries in daily life. Random House."},{"key":"10431_CR14","doi-asserted-by":"publisher","first-page":"118","DOI":"10.1016\/j.cose.2018.02.002","volume":"75","author":"C Chen","year":"2018","unstructured":"Chen, C., et al. (2018). A systematic review of fuzzing techniques. Computers & Security, 75, 118\u2013137.","journal-title":"Computers & Security"},{"issue":"10","key":"10431_CR15","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1371\/journal.pone.0186188","volume":"12","author":"S Wen","year":"2017","unstructured":"Wen, S., Meng, Q., Feng, C., & Tang, C. (2017). Protocol vulnerability detection based on network traffic analysis and binary reverse engineering. PLOS ONE, 12(10), 1\u201314.","journal-title":"PLOS ONE"},{"key":"10431_CR16","doi-asserted-by":"crossref","unstructured":"Meyer, B. (1992). Applying, \u201cdesign by contract.\u201d Computer, 25(10), 40\u201351.","DOI":"10.1109\/2.161279"},{"key":"10431_CR17","unstructured":"ITU-T. (2021). X.680 : Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation. Recommendation X.680, ITU-T. https:\/\/www.itu.int\/rec\/T-REC-X.680-202102-I."},{"key":"10431_CR18","unstructured":"ITU-T.(2022). Introduction to ASN.1. https:\/\/www.itu.int\/en\/ITU-T\/asn1\/Pages\/introduction.aspx."},{"issue":"5","key":"10431_CR19","doi-asserted-by":"publisher","first-page":"393","DOI":"10.1016\/0169-7552(92)90014-H","volume":"23","author":"G Neufeld","year":"1992","unstructured":"Neufeld, G., & Vuong, S. (1992). An overview of asn 1. Computer Networks and ISDN Systems, 23(5), 393\u2013415.","journal-title":"Computer Networks and ISDN Systems"},{"key":"10431_CR20","unstructured":"Unicode.org. (2014). UNICODE SECURITY CONSIDERATIONS. Unicode Technical Report 26, Unicode.org . https:\/\/unicode.org\/reports\/tr36\/."},{"key":"10431_CR21","unstructured":"Unicode.org. (2021). UNICODE SECURITY MECHANISMS; v14. Unicode Technical Standard 39, Unicode.org. https:\/\/unicode.org\/reports\/tr39\/."},{"key":"10431_CR22","first-page":"3","volume":"34","author":"SC Kleene","year":"1956","unstructured":"Kleene, S. C., et al. (1956). Representation of events in nerve nets and finite automata. Automat Studies, 34, 3\u201341.","journal-title":"Automat Studies"},{"key":"10431_CR23","doi-asserted-by":"publisher","first-page":"405","DOI":"10.1016\/j.scico.2014.04.008","volume":"97","author":"M Shahbaz","year":"2015","unstructured":"Shahbaz, M., McMinn, P., & Stevenson, M. (2015). Automatic generation of valid and invalid test data for string validation routines using web searches and regular expressions. Science of Computer Programming, 97, 405\u2013425.","journal-title":"Science of Computer Programming"},{"key":"10431_CR24","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-68670-7","volume-title":"String Analysis for Software Verification and Security","author":"T Bultan","year":"2017","unstructured":"Bultan, T., Yu, F., Alkhalaf, M., & Aydin, A. (2017). String Analysis for Software Verification and Security (Vol. 10). Springer Nature."},{"key":"10431_CR25","unstructured":"Halfond, W. G., Viegas, J., Orso, A., et\u00a0al. (2006). A classification of sql-injection attacks and countermeasures, Vol.\u00a01, 13\u201315 IEEE."},{"key":"10431_CR26","doi-asserted-by":"crossref","unstructured":"Song, D., et\u00a0al. (2019). Sok: Sanitizing for security, 1275\u20131295 IEEE.","DOI":"10.1109\/SP.2019.00010"},{"key":"10431_CR27","doi-asserted-by":"crossref","unstructured":"Lemes, C. I., Naessens, V., & Vieira, M. (2019). Trustworthiness assessment of web applications: Approach and experimental study using input validation coding practices, 435\u2013445 IEEE.","DOI":"10.1109\/ISSRE.2019.00050"}],"container-title":["Wireless Personal Communications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11277-023-10431-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11277-023-10431-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11277-023-10431-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T12:49:23Z","timestamp":1741783763000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11277-023-10431-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,4,19]]},"references-count":28,"journal-issue":{"issue":"1-2","published-print":{"date-parts":[[2025,1]]}},"alternative-id":["10431"],"URL":"https:\/\/doi.org\/10.1007\/s11277-023-10431-2","relation":{},"ISSN":["0929-6212","1572-834X"],"issn-type":[{"type":"print","value":"0929-6212"},{"type":"electronic","value":"1572-834X"}],"subject":[],"published":{"date-parts":[[2023,4,19]]},"assertion":[{"value":"6 April 2023","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 April 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have not disclosed any competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}