Respond to Threats


Once you have completed the process of generating a list of threats and have prioritized them as shown previously, you need to address each threat. A good way to track these issues is to log a bug for each issue and set the priority of the bug to match the priority you’ve identified in your threat analysis. You don’t need to use a sophisticated bug-tracking application for tracking threats. You could log all threats to your application in a Microsoft Excel spreadsheet, for example, shared by all members involved in finding, fixing and prioritizing security issues related to these threats. For each threat you have the following choices:

  • Do nothing, and leave your application exposed to the threat you’ve identified.

  • Add features or modify the application’s design to mitigate the threat.

  • Cut noncritical features that expose your application to considerable risk of attack.

When making your decision on how you should best respond to each threat, ask yourself, “If attacked, would I be comfortable with the result?” If the answer is no, you should either fix the issue (possibly adding time to your schedule) or cut noncritical features to remove the vulnerability.

For any security threats you address by making fixes in your code, you should add a comment to your code as a note for others (and for when you review the code again in the future) to highlight the change that was made. This helps to ensure that you don’t reintroduce the vulnerability at a later date. For example, if you make other changes to the same area of code, the comment should be a reminder to verify that you did not re-expose the application to the original threat when you made the changes.

In addition to security-related code comments, you should also have someone else review your fix before you check it in. Even if the other person doesn’t completely understand the code where you made the fix, the process of going through and explaining the fix to someone else might jog your mind into thinking of other issues or seeing problems with your fix that you didn’t originally see.




Security for Microsoft Visual Basic  .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net