Threats

From Guidance Share

(Difference between revisions)
Jump to: navigation, search
Revision as of 06:39, 30 October 2006 (edit)
Admin (Talk | contribs)

← Previous diff
Current revision (07:49, 3 August 2007) (edit)
GardenTender (Talk | contribs)

 
Line 1: Line 1:
== Overview == == Overview ==
-A threat is an undesired event or a potential occurrence, often best described as an effect that might damage or compromise an asset or objective. It may or may not be malicious in nature. When building software, your software may face the threat of various software attacks. Common software attacks are organized below by actionable categories.+A threat is an undesired event or a potential occurrence, often best described as an effect that might damage or compromise an asset or objective. It may or may not be malicious in nature. When building software, your software may face the threat of various software attacks.
 + 
 + 
 +The categories below organize common potential software attacks and undesirable events that can threaten your software security (e.g. the "threat of" a brute force attack ... the "threat of" network eavesdropping ... etc.) The threats listed here are technical vs. business threats, although they can certainly have a business impact. Technical threats are useful for assessing potential attacks and potential negative occurences based on vulnerabilities.
 + 
== Auditing and Logging == == Auditing and Logging ==
Line 6: Line 10:
* Attackers exploit an application without leaving a trace * Attackers exploit an application without leaving a trace
* Attackers cover their tracks * Attackers cover their tracks
 +
== Authentication == == Authentication ==
Line 13: Line 18:
* Cookie replay attacks * Cookie replay attacks
* Credential theft * Credential theft
 +
== Authorization == == Authorization ==
Line 27: Line 33:
* Lack of individual accountability * Lack of individual accountability
* Over-privileged process and service accounts * Over-privileged process and service accounts
 +
== Cryptography == == Cryptography ==
Line 32: Line 39:
* Weak or custom encryption * Weak or custom encryption
* Checksum spoofing * Checksum spoofing
 +
== Exception Management == == Exception Management ==
Line 40: Line 48:
* Network eavesdropping * Network eavesdropping
* Data tampering * Data tampering
 +
==Input/Data Validation== ==Input/Data Validation==
Line 50: Line 59:
* Cookie manipulation * Cookie manipulation
* HTTP header manipulation * HTTP header manipulation
 +
== Session Management == == Session Management ==

Current revision

Contents

Overview

A threat is an undesired event or a potential occurrence, often best described as an effect that might damage or compromise an asset or objective. It may or may not be malicious in nature. When building software, your software may face the threat of various software attacks.


The categories below organize common potential software attacks and undesirable events that can threaten your software security (e.g. the "threat of" a brute force attack ... the "threat of" network eavesdropping ... etc.) The threats listed here are technical vs. business threats, although they can certainly have a business impact. Technical threats are useful for assessing potential attacks and potential negative occurences based on vulnerabilities.


Auditing and Logging

  • User denies performing an operation
  • Attackers exploit an application without leaving a trace
  • Attackers cover their tracks


Authentication

  • Network eavesdropping
  • Brute force attacks
  • Dictionary attacks
  • Cookie replay attacks
  • Credential theft


Authorization

  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • Luring attacks


Configuration Management

  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores
  • Retrieval of plaintext configuration secrets
  • Lack of individual accountability
  • Over-privileged process and service accounts


Cryptography

  • Poor key generation or key management
  • Weak or custom encryption
  • Checksum spoofing


Exception Management

  • Attacker reveals implementation details
  • Denial of service
  • Sensitive Data
  • Access to sensitive data in storage
  • Network eavesdropping
  • Data tampering


Input/Data Validation

  • Buffer overflows
  • Cross-site scripting
  • SQL injection
  • Canonicalization
  • Query string manipulation
  • Form field manipulation
  • Cookie manipulation
  • HTTP header manipulation


Session Management

  • Session hijacking
  • Session replay
  • Man in the middle
Personal tools