diff --git a/Exercise/Writeup/lab02.md b/Exercise/Writeup/lab02.md index f2c64e9..621484b 100644 --- a/Exercise/Writeup/lab02.md +++ b/Exercise/Writeup/lab02.md @@ -1,22 +1,20 @@ # Lab 2: Secure Software Design -[WriteMd](https://writemd.rz.tuhh.de/876-Mxb3SeupKelDQ7eTvA?view) - ## Security Requirements Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf). ### Security Requirement Analysis -| Task | Title | Pattern idea | Tactics | -| - | -------- | -------- | -------- | -| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) | Authenticate Users, Limit Exposure | -| B | User data disclosure and write protection | Encrypted Storage | -| C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) | -| D | Do not require login on every transaction | Session, Load Balancing (-> JWT) | -| E | Bank Clerk Operation Tracking | Secure Logger | -| F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection | -| G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe | +| Task | Title | Pattern idea | +| - | -------- | -------- | +| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) | +| B | User data disclosure and write protection | Encrypted Storage | +| C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) | +| D | Do not require login on every transaction | Session, Load Balancing (-> JWT) | +| E | Bank Clerk Operation Tracking | Secure Logger, Controlled Object Mnitor | +| F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection | +| G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe | ## Security Tactics @@ -24,5 +22,14 @@ Possible exam question: Name the differences between patterns and tactics and na *aka. goals* -## Security Patterns -*e. g. SSO, MFA, OTP* +| Pattern | Tactic | Weakness | +| -------- | -------- | -------- | +| Credential Tokenizer, SAP | Reduce # of Passwords | Brute Force SAP Provider/Credential | +| Encrypted Storage | Limit Wallet Control & History Access | Weak PIN Exposes Access | +| Server Sandbox | Prevent Harm from Unknown Vulns | Weak Auth, Insecure Containers, | +| Session, Secure Session T | Avoid Repeated Authentication | Session Token Theft | +| Text | | Text | +| Text | Text | Text | +| Text | Text | Text | + +> !?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added \ No newline at end of file diff --git a/Exercise/Writeup/lab03.md b/Exercise/Writeup/lab03.md new file mode 100644 index 0000000..1795d94 --- /dev/null +++ b/Exercise/Writeup/lab03.md @@ -0,0 +1,12 @@ +# Lab 3 + +## Stride examples + +| DFD-Element | Concern | Example | +| -- | -- | -- | +| User | Spoofing | Send a chat message in the name of another user | +| User | Spoofing | Stolen credentials might be used to login | +| User Login | Tampering | Modify HTTP login header | +| Login | Denial of Service | Flood server with login requests | +| Login | Spoofing | Domain spoofing to impersonate server | +| Database | Information Disclosure | SQL Injection | \ No newline at end of file