Decompositionroles
User Roles
Name Description AuthenticationAdmin Administrators have complete and unrestricted access to Notices, Partner Accounts and Logs. Windows
Partner Partners can create, read and update Notices. Basic
User Users can read and update Notices. Forms
Service Roles
Name Description Authentication
APP Role Identity APP is running as. Windows Integrated (ApplicationPoolIndentity)
SVC Role Identity SVC is running as. Windows Integrated (Local System)
MSMQ Role Identity MSMQ is running as. Windows Integrated (Network Service)
Decomposition (2)components
Components
Name Roles Type Run As Communication Channel Technology Uses
APP AdminUser
Website APP Role HTTPS C#, ASP.NET MVC 5 Cryptography,File I/O
API Partner Website API Role HTTPS C#, ASP.NET MVC 5 Cryptography,File I/O
SVC MSMQ Windows Service
SVC Role TCP/IP C# Cryptography,File I/O
Decomposition (3)data
Data
Name Description Data Elements Data Stores
Form Defines structure of a Notice Fields Database
Access Control
Role Access Control Remarks
Admin C R U D
Partner R Limited information. Form must be published.
User
What can go wrong? (2)checklists
CAPEChttps://capec.mitre.org/data/index.html
OWASP ASVShttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification...
OWASP AppSensorhttps://www.owasp.org/index.php/AppSensor_DetectionPoints
How to prioritize?convert threat to risk
Risk
Loss eventfrequence
Loss magnitude
Threat eventfrequence
prob. Threat agent actions result in loss
ResourcesOWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia
EoP Card Gamehttps://www.microsoft.com/en-us/SDL/adopt/eop.aspx
STRIDEhttp://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart
FAIRhttp://www.risklens.com/what-is-fair
SAFECodehttp://www.safecode.org/publications