Security in our DNA

description

Today,we have a session named security in our DNA.I don't understand it at the beginning.After the session, my understanding is about the security in our code.

Questions

Q1: waht's is threat modelling?
A1:

• Structured shared understanding of What could go wrong
• Stories about how people could attack the system
• Small set of most likely scenarios we can use to prioritise further work.

---

Q2: the common threat categories?
A2:

• Spoofing: a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.
• Tampering: such as a attacker change the DB, and makes the items sold reduced price.
• Repudiation: happens when an application or system does not adopt controls to properly track and log users' actions, thus permitting malicious manipulation or forging the identification of new actions, such as Logging, Auditing
• Information disclosure: exposing information to someone not authorised to see it.
• Denial of Service :Deny or degrade service to users.
• Elevation of Privilege: gain capabilities without using proper authentication.

---

Q3: In our project, what's the ranking of threats model?which one is most important?
A3:
• Damage
• Reproducibility
• Exploitability
• Affected users
• Discoverability

Action：

When we finish our project ,we should try to avoid these threats demaging our website.So we should make our our code strong, for example, when we save the password in database, we should use md5 to encrypt the password, then save in database is encrypted data and https in our project to instead of http.