# Lab 2: Secure Software Design ## Security Requirements Security Pattern [Catalog](https://people.cs.kuleuven.be/~koen.yskout/icse15/catalog.pdf). ### Security Requirement Analysis | Task | Title | Pattern idea | | - | -------- | -------- | | A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) | | B | User data disclosure and write protection | Encrypted Storage | | C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) | | D | Do not require login on every transaction | Session, Load Balancing (-> JWT) | | E | Bank Clerk Operation Tracking | Secure Logger, Controlled Object Mnitor | | F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection | | G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe | ## Security Tactics Possible exam question: Name the differences between patterns and tactics and name a few of each category. *aka. goals* | Pattern | Tactic | Weakness | | -------- | -------- | -------- | | Credential Tokenizer, SAP | Reduce # of Passwords | Brute Force SAP Provider/Credential | | Encrypted Storage | Limit Wallet Control & History Access | Weak PIN Exposes Access | | Server Sandbox | Prevent Harm from Unknown Vulns | Weak Auth, Insecure Containers, | | Session, Secure Session T | Avoid Repeated Authentication | Session Token Theft | | Text | | Text | | Text | Text | Text | | Text | Text | Text | > !?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added