To help us understand the security needs of an application, it can be useful to think about the information that the application deals with in the following basic terms: Confidentiality, Integrity, and Availability (C.I.A.).
- To what degree does that application deal with data that needs to remain confidential?
- How important is it that the application data can be trusted to be accurate and protected by validation and authorization protocols?
- How important is it that the application data is available at all times?
Once we have a better understanding of what the security implications for the application will be, it is useful to be able to identify specific threats to our security objectives. The Web Application Security Consortium maintains a detailed list of the types of threats that may exist for Web applications. A simple acronym has been devised to cover some of the basic categories of application security threats: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege (S.T.R.I.D.E.).
- Spoofing identity
- User can assume the identity of another.
- Tampering with data
- User can manipulate data inappropriately.
- User can perform an action and later deny it.
- Information disclosure
- Private or confidential information is exposed.
- Denial of service
- User can interrupt service to others.
- Elevation of privilege
- User can perform operations which they are not normally authorized to perform.
Threat and Vulnerability Risk Analysis
Other than some of the standard known vulnerabilities, it is not realistic to expect to know about every possible threat or vulnerability in an application. Therefore, it can be useful to have a way to analyze the risk associated with a particular threat or vulnerability. There are various ways to analyze risk but one simple scheme is based on the following parameters: Damage potential, Reproducibility, Exploitability, Affected users, Discoverability (D.R.E.A.D.).
- Damage potential
- How much damage could be caused? (0=Nothing; 5=Individual user or data item affected; 10=Complete system or data compromised)
- How easily is the exploit reproduced? (0=very difficult; 5=one or two steps; 10=simple/no authorization or tools needed)
- What is needed to exploit the vulnerability? (0=Advanced knowledge and tools; 5=Malware/simple tools; 10=No special tools or knowledge)
- Affected users
- How many users would be affected? (0=None; 5=Some; 10=All)
- How easily is the vulnerability discovered?* (0=Very difficult, need source code; 5=Guessing or eavesdropping; 9=Details are publicly known; 10=Details are obvious to average user)
- *Discoverability could be assumed to be 10 for a known vulnerability, even if it is not publicly known