The problem is that the Average Developer doesn't really care too much about Secure Design, Threat Modeling and Attacker Stories. That stuff just gets in the way of fun (writing code) and profits (selling code) - though we might like to assert that we don't see much of the profits being six or seven layers deep from the President & CEO. So lets explore the Attacker Story by first understanding exactly what a Use Case represents.
Requirements
Use Cases
Consider a simple banking application use case for making a transfer:
As a user of the Banking App, I want to transfer funds out of my account into another account in order to meet my personal financial goals.
This use case helps us think about what a specific actor wants to do with a given resource and for a specific purpose.
Abuse Cases (Attacker Stories)
As an attacker, I can access a user's account and transfer funds to other accounts for the purpose of stealing money.
As an attacker, I cannot steal money by accessing a user's account and transfer money to other accounts.Just as in the use case, the abuse case causes an attentive developer and tester to ask questions:
- How does the user access the account?
- How do we prevent the attacker from gaining unauthorized access?
- How do we assert that user has permission to transfer funds?
- How do we prevent an attacker who has gained access to an account from stealing money?
Therefore, the Attacker Story helps us express the emergent security requirements from which we can design and implement controls and tests to prove the controls work. In the best situation, each use case should have one or more abuse cases.
We can (and many times should) create diagrams explaining both the use case and the abuse case. While the example below is patently simple, it does express the idea that we don't want an un-authenticated user performing the same functions as an authenticated user.
Nevertheless, in both instances we consider different aspects of the same usage. Perhaps one of the first questions we investigate is, "how does an attacker become an authenticated user without proper credentials?" Perhaps session hijacking is exploited, or perhaps we use a form of multi-factor authentication and the attacker has performed this SIM attack or this one.
We can (and many times should) create diagrams explaining both the use case and the abuse case. While the example below is patently simple, it does express the idea that we don't want an un-authenticated user performing the same functions as an authenticated user.
Nevertheless, in both instances we consider different aspects of the same usage. Perhaps one of the first questions we investigate is, "how does an attacker become an authenticated user without proper credentials?" Perhaps session hijacking is exploited, or perhaps we use a form of multi-factor authentication and the attacker has performed this SIM attack or this one.
No comments:
Post a Comment