Posts

Showing posts from October, 2021

Threat Modeling - Must Ask these questions !

The following baseline set of questions to put into Threat Modeling and Analysis in securing any piece of software is very critical. Authentication and Authorization  How do users and other actors in the system, including clients and servers, authenticate each other so that there is a guarantee against impersonation?   Do all operations in the system require authorization, and are these given to only the level necessary, and no more (for example, a user accessing a database has limited access to only those tables and columns they really need access to)? Third-party libraries and components Are all dependencies (both direct and transitive): Updated to mitigate all known vulnerabilities? Obtained from trusted sources (e.g., published by a well-known company or developer that promptly addresses security issues) and verified as originating from the same trusted source? Code-signing for libraries and installers is highly recommended—has code-signing been implemented? Does t...