secure-software-engineering/Exercise/Writeup/lab02.md

# Lab 2: Secure Software Design

## Security Requirements

Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf).

### Security Requirement Analysis

| Task | Title                                                                    | Pattern idea             |
| - | --------                                                                    | --------                 |
| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) |
| B | User data disclosure and write protection                                   | Encrypted Storage        |
| C | Isolation of critical and non-critical domains                              | Server Sandbox, (DMZ)         |
| D | Do not require login on every transaction                                   | Session, Load Balancing (-> JWT) |
| E | Bank Clerk Operation Tracking                                               | Secure Logger, Controlled Object Mnitor            |
| F | Bank Account Information Privacy, Transaction Authorization                 | MFA, Fraud Detection |
| G | Mobile Device Communication Security                                        | PKI, Public-Private Key Encryption -> Secure Pipe |

## Security Tactics

Possible exam question: Name the differences between patterns and tactics and name a few of each category.

*aka. goals*

| Pattern                    | Tactic                                | Weakness                            |
| --------                   | --------                              | --------                            |
| Credential Tokenizer, SAP  | Reduce # of Passwords                 | Brute Force SAP Provider/Credential |
| Encrypted Storage          | Limit Wallet Control & History Access | Weak PIN Exposes Access             |
| Server Sandbox             | Prevent Harm from Unknown Vulns       | Weak Auth, Insecure Containers,     |
| Session, Secure Session T  | Avoid Repeated Authentication         | Session Token Theft                 |
| Text                       |  | Text     |
| Text                       | Text     | Text     |
| Text                       | Text     | Text     |

> !?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added
Added writeup for lab 2 (collaborative with Márk) 2022-05-10 11:00:04 +02:00			`# Lab 2: Secure Software Design`

			`## Security Requirements`

			`Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf).`

			`### Security Requirement Analysis`

Update markdown files 2022-06-07 10:19:10 +02:00			`\| Task \| Title \| Pattern idea \|`
			`\| - \| -------- \| -------- \|`
			`\| A \| Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards \| Credential Tokenizer, Single Sign-on, (Single Access Point) \|`
			`\| B \| User data disclosure and write protection \| Encrypted Storage \|`
			`\| C \| Isolation of critical and non-critical domains \| Server Sandbox, (DMZ) \|`
			`\| D \| Do not require login on every transaction \| Session, Load Balancing (-> JWT) \|`
			`\| E \| Bank Clerk Operation Tracking \| Secure Logger, Controlled Object Mnitor \|`
			`\| F \| Bank Account Information Privacy, Transaction Authorization \| MFA, Fraud Detection \|`
			`\| G \| Mobile Device Communication Security \| PKI, Public-Private Key Encryption -> Secure Pipe \|`
Added writeup for lab 2 (collaborative with Márk) 2022-05-10 11:00:04 +02:00
			`## Security Tactics`

			`Possible exam question: Name the differences between patterns and tactics and name a few of each category.`

			`aka. goals`

Update markdown files 2022-06-07 10:19:10 +02:00			`\| Pattern \| Tactic \| Weakness \|`
			`\| -------- \| -------- \| -------- \|`
			`\| Credential Tokenizer, SAP \| Reduce # of Passwords \| Brute Force SAP Provider/Credential \|`
			`\| Encrypted Storage \| Limit Wallet Control & History Access \| Weak PIN Exposes Access \|`
			`\| Server Sandbox \| Prevent Harm from Unknown Vulns \| Weak Auth, Insecure Containers, \|`
			`\| Session, Secure Session T \| Avoid Repeated Authentication \| Session Token Theft \|`
			`\| Text \| \| Text \|`
			`\| Text \| Text \| Text \|`
			`\| Text \| Text \| Text \|`

			`> !?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added`