Application Security

Information Attributes

To help us understand the security needs of an application, it can be useful to think about the information that the application deals with in the following basic terms: Confidentiality, Integrity, and Availability (C.I.A.).

To what degree does that application deal with data that needs to remain confidential?
How important is it that the application data can be trusted to be accurate and protected by validation and authorization protocols?
How important is it that the application data is available at all times?

Threat Identification

Once we have a better understanding of what the security implications for the application will be, it is useful to be able to identify specific threats to our security objectives. The Web Application Security Consortium maintains a detailed list of the types of threats that may exist for Web applications. A simple acronym has been devised to cover some of the basic categories of application security threats: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege (S.T.R.I.D.E.).

Spoofing identity
User can assume the identity of another.
Tampering with data
User can manipulate data inappropriately.
User can perform an action and later deny it.
Information disclosure
Private or confidential information is exposed.
Denial of service
User can interrupt service to others.
Elevation of privilege
User can perform operations which they are not normally authorized to perform.

Threat and Vulnerability Risk Analysis

Other than some of the standard known vulnerabilities, it is not realistic to expect to know about every possible threat or vulnerability in an application. Therefore, it can be useful to have a way to analyze the risk associated with a particular threat or vulnerability. There are various ways to analyze risk but one simple scheme is based on the following parameters: Damage potential, Reproducibility, Exploitability, Affected users, Discoverability (D.R.E.A.D.).

Damage potential
How much damage could be caused? (0=Nothing; 5=Individual user or data item affected; 10=Complete system or data compromised)
How easily is the exploit reproduced? (0=very difficult; 5=one or two steps; 10=simple/no authorization or tools needed)
What is needed to exploit the vulnerability? (0=Advanced knowledge and tools; 5=Malware/simple tools; 10=No special tools or knowledge)
Affected users
How many users would be affected? (0=None; 5=Some; 10=All)
How easily is the vulnerability discovered?* (0=Very difficult, need source code; 5=Guessing or eavesdropping; 9=Details are publicly known; 10=Details are obvious to average user)
*Discoverability could be assumed to be 10 for a known vulnerability, even if it is not publicly known

Please also see The Open Web Application Security Project and their description of Threat Risk Modeling.