TUHH/secure-software-engineering
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ff46ca5eeb
secure-software-engineering/Exercise/Writeup/lab01.md
Márk Varga ff46ca5eeb Add harm analysis section
2022-05-02 22:13:51 +02:00

46 lines
2.1 KiB
Markdown
Raw Blame History

# Lab 1: Security Requirements
## Metaverse User Stories
`Metaverse Users` are referred to as users here.
User | Task | Goal | Context | Action | Outcomes
-- | -- | -- | -- | -- | --
User | perform authorized payment transactions | only I can make transactions in my name | An adversary knows my payment information | he tries to pay with my info | the payment is declined if not authorized by me
Developer | access user configurations (avatars, config) | personalize the user experience of my applications
Teacher | make physical course material available in the metaverse | students can see them in virtual reality
User | have a unique identification key in bound to my avatar | everyone can recognize my avatar | my avatar is public | my avatar is used by another user | the user cannot impersonate my identity because he doesn't know the key
User | virtual home to be self or zero knowledge hosted | my privacy can not be intruded
Corrections:
- User stories are more non-functional and should not contain less security aspects, rather the use-case functionality
User | Task | Goal
-- | -- | --
User | Perform a payment | Acquire a virtual/physical asset
User | Add and remove friends | Keep track of what my friends are up to
User | Set home privacy | Prevent strangers from entering my home
User | Use voice chat | Communicate with other users
User | Fast travel | Quickly get to another location in the virtual space
User | Give another user an item | Sell/Gift assets
## Assets
- User identity
- User belongings
- Friends lists
- Public image of system
- Voice data
### Harm analysis
Action | Asset | Harm
-- | -- | --
Steal user credentials | User identity | User information compromised, belongings stolen
Accept unwanted friend request | Friends lists | User information partially compromised, trust acquired
Unmute user microphone without consent | Voice data | User privacy compromised
### *'Achieve'* goals
- Always use multi-factor authentication for users
-
Reference in New Issue View Git Blame Copy Permalink