secure-software-engineering/Exercise/Writeup/lab03.md
2022-06-07 12:25:47 +02:00

1.6 KiB

Lab 3: Security Risk Assessment

Security Threats

Below is a list of security threats identified from applying STRIDE to the metaverse system DFD. After that we analyzed likelihood and impact (in-class discussion) to assess the risk of each threat. From the lab slides we also selected possible mitigations.

DFD-Element Concern Example Likelihood Impact Mitigation
User Spoofing Send a chat message in the name of another user Possible Moderate Cookie Authentication
User Information Disclosure Stolen credentials cookie might be used to login Unlikely Severe Input Validation (XSS)
User Login Tampering Modify HTTP login header Very Likely Severe HTTP over TLS or Digital signatures
Login Denial of Service Flood server with login requests Unlikely Minor ACL (Fail2Ban)
Login Spoofing Domain spoofing to impersonate server Very Unlikely Severe PKI & DNSSec
Login Tampering Tamper the credentials of the user Unlikely Significant 2FA
Database Information Disclosure SQL Injection Likely Severe Validation

Notes:

  • At this point in modeling we have to assume, we have no security features.
  • Modifying HTTP headers thus results in a risk mitigation that we require secure connections

Possible Attacks