2.3 KiB
2.3 KiB
Lab 2: Secure Software Design
Security Requirements
Security Pattern Catalog.
Security Requirement Analysis
Task | Title | Pattern idea |
---|---|---|
A | Enforce Password Policy, Single sign-on, Strong Authentication, Smart Cards | Credential Tokenizer, Single Sign-on, (Single Access Point) |
B | User data disclosure and write protection | Encrypted Storage |
C | Isolation of critical and non-critical domains | Server Sandbox, (DMZ) |
D | Do not require login on every transaction | Session, Load Balancing (-> JWT) |
E | Bank Clerk Operation Tracking | Secure Logger, Controlled Object Mnitor |
F | Bank Account Information Privacy, Transaction Authorization | MFA, Fraud Detection |
G | Mobile Device Communication Security | PKI, Public-Private Key Encryption -> Secure Pipe |
Security Tactics
Possible exam question: Name the differences between patterns and tactics and name a few of each category.
aka. goals
Pattern | Tactic | Weakness |
---|---|---|
Credential Tokenizer, SAP | Reduce # of Passwords | Brute Force SAP Provider/Credential |
Encrypted Storage | Limit Wallet Control & History Access | Weak PIN Exposes Access |
Server Sandbox | Prevent Harm from Unknown Vulns | Weak Auth, Insecure Containers, |
Session, Secure Session T | Avoid Repeated Authentication | Session Token Theft |
Text | Text | |
Text | Text | Text |
Text | Text | Text |
!?! so now we're just adding random patterns because we feel like it, instead of suggesting a requirement to be added