secure-software-engineering/Exercise/Writeup/lab02.md
2022-06-07 10:19:10 +02:00

2.3 KiB

Lab 2: Secure Software Design

Security Requirements

Security Pattern Catalog.

Security Requirement Analysis

Task Title Pattern idea
A Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards Credential Tokenizer, Single Sign-on, (Single Access Point)
B User data disclosure and write protection Encrypted Storage
C Isolation of critical and non-critical domains Server Sandbox, (DMZ)
D Do not require login on every transaction Session, Load Balancing (-> JWT)
E Bank Clerk Operation Tracking Secure Logger, Controlled Object Mnitor
F Bank Account Information Privacy, Transaction Authorization MFA, Fraud Detection
G Mobile Device Communication Security PKI, Public-Private Key Encryption -> Secure Pipe

Security Tactics

Possible exam question: Name the differences between patterns and tactics and name a few of each category.

aka. goals

Pattern Tactic Weakness
Credential Tokenizer, SAP Reduce # of Passwords Brute Force SAP Provider/Credential
Encrypted Storage Limit Wallet Control & History Access Weak PIN Exposes Access
Server Sandbox Prevent Harm from Unknown Vulns Weak Auth, Insecure Containers,
Session, Secure Session T Avoid Repeated Authentication Session Token Theft
Text Text
Text Text Text
Text Text Text

!?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added