Development Lifecycle & Security Requirements

Question 1

STRIDE

Answer 1

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 2

Spoofing

Answer 2

Pretending to be something or someone other than yourself.

Question 3

Tampering

Answer 3

Modifying something on disk, on a network, or in memory.

Question 4

Repudiation

Answer 4

Claiming that you didn’t do something, or were not responsible.

Question 5

Information Disclosure

Answer 5

Providing information to someone not authorized to see it.

Question 6

Denial of Service

Answer 6

Absorbing resources needed to provide service.

Question 7

Elevation of Privilege

Answer 7

Allowing someone to do something they’re not authorized to do.

Question 8

Defense in depth

Answer 8

If they break into this, they can’t get any farther.

Question 9

Least privilege

Answer 9

Every user or module is given the least amount of privilege it
needs.

Question 10

Fail securely

Answer 10

Take care of exceptions properly! To prevent error message info leak and putting the system on a weird state.

Question 11

Security by obscurity

Answer 11

Don’t rely on obscurity as security.

Question 12

Detect and Record

Answer 12

Useful for post-mortem analysis.

Question 13

Dont trust [input | environment | dependencies | *]

Answer 13

Know what, whom and how to trust.

Question 14

KISS

Answer 14

Keep It Simple Stupid to minimize attack surface.

Question 15

What should use cases include?

Answer 15

Actors, preconditions, main flow of primary scenario, alternative scenarios and how the system reacts to use cases.

Question 16

Misuse vs Abuse Cases

Answer 16

Misuse is unintentional but still security related.

Abuse is intentional and implies the actor is actively looking for vulnerabilities.