secure-software-engineering/Exercise/Writeup/lab02.md

# Lab 2: Secure Software Design

[WriteMd](https://writemd.rz.tuhh.de/876-Mxb3SeupKelDQ7eTvA?view)

## Security Requirements

Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf).

### Security Requirement Analysis

| Task | Title | Pattern idea | Tactics |
| - | -------- | -------- | -------- |
| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) | Authenticate Users, Limit Exposure |
| B | User data disclosure and write protection | Encrypted Storage |
| C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) |
| D | Do not require login on every transaction | Session, Load Balancing (-> JWT) |
| E | Bank Clerk Operation Tracking | Secure Logger |
| F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection |
| G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe |

## Security Tactics

Possible exam question: Name the differences between patterns and tactics and name a few of each category.

*aka. goals*

## Security Patterns
*e. g. SSO, MFA, OTP*
Added writeup for lab 2 (collaborative with Márk) 2022-05-10 11:00:04 +02:00			`# Lab 2: Secure Software Design`

			`[WriteMd](https://writemd.rz.tuhh.de/876-Mxb3SeupKelDQ7eTvA?view)`

			`## Security Requirements`

			`Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf).`

			`### Security Requirement Analysis`

			`\| Task \| Title \| Pattern idea \| Tactics \|`
			`\| - \| -------- \| -------- \| -------- \|`
			`\| A \| Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards \| Credential Tokenizer, Single Sign-on, (Single Access Point) \| Authenticate Users, Limit Exposure \|`
			`\| B \| User data disclosure and write protection \| Encrypted Storage \|`
			`\| C \| Isolation of critical and non-critical domains \| Server Sandbox, (DMZ) \|`
			`\| D \| Do not require login on every transaction \| Session, Load Balancing (-> JWT) \|`
			`\| E \| Bank Clerk Operation Tracking \| Secure Logger \|`
			`\| F \| Bank Account Information Privacy, Transaction Authorization \| MFA, Fraud Detection \|`
			`\| G \| Mobile Device Communication Security \| PKI, Public-Private Key Encryption -> Secure Pipe \|`

			`## Security Tactics`

			`Possible exam question: Name the differences between patterns and tactics and name a few of each category.`

			`aka. goals`

			`## Security Patterns`
			`e. g. SSO, MFA, OTP`