Last week, I blogged about using threat models to identify and locate countermeasures. Now, I would like to add a little more detail and context. Recall, the purpose of the threat model is to map threats to countermeasures, but he catalyst comes through some part(s) of the attack surface. There are several attack surface models out there, I use a simple one where the attack surface is the sum of the data + method + channel, that entail the ways the system can be attacked.
- Data: XML
- Method: SOAP or HTTP Verbs
- Channel: HTTP
Threat |
Countermeasure Located in Attack Surface |
||
Data |
Method |
Channel |
|
Spoofing |
XML Signature (response only) |
None |
TLS/SSL |
Tampering |
XML Signature (response only) |
None |
TLS/SSL |
Dispute |
None |
None |
None |
Information Disclosure |
XML Encryption (response only) |
None |
SSL |
Denial of Service |
None |
None |
None |
Elevation of Privilege |
Oauth |
Oauth |
None |
Comments