Update markdown files

2022-06-07 10:19:10 +02:00 · 2022-06-07 10:19:10 +02:00 · 176966e16b
commit 176966e16b
parent eb633ad307
2 changed files with 32 additions and 13 deletions
--- a/Exercise/Writeup/lab02.md
+++ b/Exercise/Writeup/lab02.md
@ -1,20 +1,18 @@
 # Lab 2: Secure Software Design

-[WriteMd](https://writemd.rz.tuhh.de/876-Mxb3SeupKelDQ7eTvA?view)
-
 ## Security Requirements

 Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf).

 ### Security Requirement Analysis

-| Task | Title | Pattern idea | Tactics |
-| - | -------- | -------- | -------- |
-| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) | Authenticate Users, Limit Exposure |
+| Task | Title                                                                    | Pattern idea             |
+| - | --------                                                                    | --------                 |
+| A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) |
 | B | User data disclosure and write protection                                   | Encrypted Storage        |
 | C | Isolation of critical and non-critical domains                              | Server Sandbox, (DMZ)         |
 | D | Do not require login on every transaction                                   | Session, Load Balancing (-> JWT) |
-| E | Bank Clerk Operation Tracking | Secure Logger |
+| E | Bank Clerk Operation Tracking                                               | Secure Logger, Controlled Object Mnitor            |
 | F | Bank Account Information Privacy, Transaction Authorization                 | MFA, Fraud Detection |
 | G | Mobile Device Communication Security                                        | PKI, Public-Private Key Encryption -> Secure Pipe |

@ -24,5 +22,14 @@ Possible exam question: Name the differences between patterns and tactics and na

 *aka. goals*

-## Security Patterns
-*e. g. SSO, MFA, OTP*
+| Pattern                    | Tactic                                | Weakness                            |
+| --------                   | --------                              | --------                            |
+| Credential Tokenizer, SAP  | Reduce # of Passwords                 | Brute Force SAP Provider/Credential |
+| Encrypted Storage          | Limit Wallet Control & History Access | Weak PIN Exposes Access             |
+| Server Sandbox             | Prevent Harm from Unknown Vulns       | Weak Auth, Insecure Containers,     |
+| Session, Secure Session T  | Avoid Repeated Authentication         | Session Token Theft                 |
+| Text                       |  | Text     |
+| Text                       | Text     | Text     |
+| Text                       | Text     | Text     |
+
+> !?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added
--- a/Exercise/Writeup/lab03.md
+++ b/Exercise/Writeup/lab03.md
@ -0,0 +1,12 @@
+# Lab 3
+
+## Stride examples
+
+| DFD-Element | Concern | Example |
+| -- | -- | -- |
+| User | Spoofing | Send a chat message in the name of another user |
+| User | Spoofing | Stolen credentials might be used to login |
+| User Login | Tampering | Modify HTTP login header |
+| Login | Denial of Service | Flood server with login requests |
+| Login | Spoofing | Domain spoofing to impersonate server |
+| Database | Information Disclosure | SQL Injection |