Web application security - the fast guide 1.1 | Page 52

Chapter 3 - Vulnerabilities and threat models 1001010 1001010 P a g e | 52 1001011101101 The results of threat risk modeling are used by designers, developer and tester to make better design choice concerning main functions and implemented technologies the code or test cases to check identified vulnerabilities. 3.5 Threats and vulnerabilities models - STRIDE A classification scheme to categorize different threats. The name is an abbreviation composed of the first letter or the different types of threats Spoofing, Tampering, Repudiation, Information disclosure, Denial of service. 3.5.1 Spoofing: this class of threats is related to identity faking an interacting with application as different user. 3.5.2 Tampering Data: this threat class is about changing and manipulating the data as changing the information through manipulation of data delivered to user or bypassing input validation to include malicious contents. 3.5.3 Repudiation: the risk of transaction denial, if no trace were kept to each transaction with possibility to uniquely identify transaction owner it will be possible to any person that initiate a transaction to possibly say “I did not do it”. 3.5.4 Information disclosure: it is very important to use every possible way to secure user information or any sensitive information from being disclosed because this might lead to big financial level (like card information discloser) or at least privacy legal issues and reputation loss.