Web application security - the fast guide 1.1 | Page 52
Chapter 3 - Vulnerabilities and threat models
1001010 1001010
P a g e | 52
1001011101101
The results of threat risk modeling are used by designers, developer and tester to
make better design choice concerning main functions and implemented
technologies the code or test cases to check identified vulnerabilities.
3.5 Threats and vulnerabilities models - STRIDE
A classification scheme to categorize different threats. The name is an
abbreviation composed of the first letter or the different types of threats
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service.
3.5.1 Spoofing:
this class of threats is related to identity faking an interacting with application as
different user.
3.5.2 Tampering Data:
this threat class is about changing and manipulating the data as changing the
information through manipulation of data delivered to user or bypassing input
validation to include malicious contents.
3.5.3 Repudiation:
the risk of transaction denial, if no trace were kept to each transaction with
possibility to uniquely identify transaction owner it will be possible to any
person that initiate a transaction to possibly say “I did not do it”.
3.5.4 Information disclosure:
it is very important to use every possible way to secure user information or any
sensitive information from being disclosed because this might lead to big
financial level (like card information discloser) or at least privacy legal issues
and reputation loss.