Step 5. Document the Threats

Previous page
Table of content
Next page

To document the threats of your application, use a template that shows several threat attributes similar to the one below. The threat description and threat target are essential attributes. Leave the risk rating blank at this stage. This is used in the final stage of the threat modeling process when you prioritize the identified threat list. Other attributes you may want to include are the attack techniques, which can also highlight the vulnerabilities exploited, and the countermeasures that are required to address the threat.

Table 3.4: Threat 1

Threat Description

Attacker obtains authentication credentials by monitoring the network

Threat target

Web application user authentication process

Risk

 

Attack techniques

Use of network monitoring software

Countermeasures

Use SSL to provide encrypted channel

Table 3.5: Threat 2

Threat Description

Injection of SQL commands

Threat target

Data access component

Risk

 

Attack techniques

Attacker appends SQL commands to user name , which is used to form a SQL query

Countermeasures

Use a regular expression to validate the user name, and use a stored procedure that uses parameters to access the database.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
C++ GUI Programming with Qt 3
Developing Tablet PC Applications (Charles River Media Programming)
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy