Back to the Example Payroll Application

Previous page
Table of content
Next page

Back to the Example Payroll Application

After the threat analysis process, we end up with the threat model and technologies for our application listed in Table 2-4. Note again that the table lists just a subset of the entire set of technologies that could be used.

Table 2-4 Applying Mitigation Technologies to the Payroll Application

Threat

STRIDE

Techniques and Technologies

A malicious user views or tampers with personal payroll data en route from the Web server to the client or from the client to the Web server.

T & I

Kerberos authentication requires the users to authenticate themselves before the communications channel is established.

Use SSL/TLS to protect the data from prying eyes as it travels between the client and the Web server.

A malicious user views or tampers with personal payroll data en route from the Web server to the COM component or from the component to the Web server.

T & I

Use DCOM encryption and integrity checking to protect the DCOM data from the Web server to the COM component.

A malicious user accesses or tampers with the payroll data directly in the databases.

T & I

Strong database server permissions restrict who can change the data in the database.

A malicious user views the LDAP authentication packets and learns how to reply to the authentication requests so that he can act on behalf of the user.

S, I & E

Requiring IPSec from the Web server to the LDAP server protects all traffic, including the LDAP authentication requests.

A malicious user defaces the Web server by changing one or more Web pages.

T

Strong ACLs on Web pages allow only administrators full access to the ASP and HTML pages.

An attacker denies access to the payroll computer by flooding it with TCP/IP packets.

D

A packet-filtering firewall restricts what kind of packets can be passed onto the payroll database server.

An attacker deletes or modifies the audit logs.

T & R

Strong ACLs allow only certain users to modify or update the logs. MACs on log files allow you to detect when an unauthorized user has tampered with the data.

An attacker places his own payroll Web server on the network after killing the real payroll server.

S

Require SSL/TLS communications to determine server identity.

Figure 2-3 shows what our payroll application looks like after applying appropriate security technologies to it.

Figure 2-3

The completed payroll application, with appropriate security technologies in place.

The net effect of our sample application is that security technologies are determined only after analyzing the threats to the system. This is much better and more secure than adding security features in an ad hoc and random fashion.

important

Building secure systems is a complex matter. Designing secure systems by using threat models as the starting point for the overall architecture is a great way to add structure and discipline and to overcome chaos when building such systems.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Beginning Cryptography with Java
Metrics and Models in Software Quality Engineering (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Visual C# 2005 How to Program (2nd Edition)
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy