Update markdown files
This commit is contained in:
parent
eb633ad307
commit
176966e16b
@ -1,22 +1,20 @@
|
||||
# Lab 2: Secure Software Design
|
||||
|
||||
[WriteMd](https://writemd.rz.tuhh.de/876-Mxb3SeupKelDQ7eTvA?view)
|
||||
|
||||
## Security Requirements
|
||||
|
||||
Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf).
|
||||
|
||||
### Security Requirement Analysis
|
||||
|
||||
| Task | Title | Pattern idea | Tactics |
|
||||
| - | -------- | -------- | -------- |
|
||||
| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) | Authenticate Users, Limit Exposure |
|
||||
| B | User data disclosure and write protection | Encrypted Storage |
|
||||
| C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) |
|
||||
| D | Do not require login on every transaction | Session, Load Balancing (-> JWT) |
|
||||
| E | Bank Clerk Operation Tracking | Secure Logger |
|
||||
| F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection |
|
||||
| G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe |
|
||||
| Task | Title | Pattern idea |
|
||||
| - | -------- | -------- |
|
||||
| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) |
|
||||
| B | User data disclosure and write protection | Encrypted Storage |
|
||||
| C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) |
|
||||
| D | Do not require login on every transaction | Session, Load Balancing (-> JWT) |
|
||||
| E | Bank Clerk Operation Tracking | Secure Logger, Controlled Object Mnitor |
|
||||
| F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection |
|
||||
| G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe |
|
||||
|
||||
## Security Tactics
|
||||
|
||||
@ -24,5 +22,14 @@ Possible exam question: Name the differences between patterns and tactics and na
|
||||
|
||||
*aka. goals*
|
||||
|
||||
## Security Patterns
|
||||
*e. g. SSO, MFA, OTP*
|
||||
| Pattern | Tactic | Weakness |
|
||||
| -------- | -------- | -------- |
|
||||
| Credential Tokenizer, SAP | Reduce # of Passwords | Brute Force SAP Provider/Credential |
|
||||
| Encrypted Storage | Limit Wallet Control & History Access | Weak PIN Exposes Access |
|
||||
| Server Sandbox | Prevent Harm from Unknown Vulns | Weak Auth, Insecure Containers, |
|
||||
| Session, Secure Session T | Avoid Repeated Authentication | Session Token Theft |
|
||||
| Text | | Text |
|
||||
| Text | Text | Text |
|
||||
| Text | Text | Text |
|
||||
|
||||
> !?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added
|
12
Exercise/Writeup/lab03.md
Normal file
12
Exercise/Writeup/lab03.md
Normal file
@ -0,0 +1,12 @@
|
||||
# Lab 3
|
||||
|
||||
## Stride examples
|
||||
|
||||
| DFD-Element | Concern | Example |
|
||||
| -- | -- | -- |
|
||||
| User | Spoofing | Send a chat message in the name of another user |
|
||||
| User | Spoofing | Stolen credentials might be used to login |
|
||||
| User Login | Tampering | Modify HTTP login header |
|
||||
| Login | Denial of Service | Flood server with login requests |
|
||||
| Login | Spoofing | Domain spoofing to impersonate server |
|
||||
| Database | Information Disclosure | SQL Injection |
|
Loading…
Reference in New Issue
Block a user