Security Testing | Security 4 No0bs - Whats the RISK?

Risk Assessment: Web Application Security Testing (pt.3)

Hey all,

In my previous post - Requirements - The Gathering - I briefly discussed requirements best-practices and what it takes to get to analyzing a story and drafting best possible test scenarios. From these scenarios, we get a list of potential requirements for the feature - in this case, login. With that, let's discuss risk assessment.

Below is the list of requirements derived from the previous post

• Login form fields are required
• Login form allows for only alpha-numeric data; where expected special characters are permitted
• Login username is to allow a finite number of text (or check for e-mail input)
• Login password field allows a finite number of characters, of a particular format
• Login form field password text field is to be masked
• Login error messages must be in the right font-style and color
• Login error messages must not communicate what the expected input should be
• Login authentication must redirect user the proper destination - cannot be hijacked
• Login session is managed server-side
• Login url must not past authentication parameters
• Login authentication cannot be manipulated in any way, giving non-auth'd users admin privileges

Now, let's look into: Threat Modeling

source: https://www.owasp.org/index.php/Threat_Risk_Modeling Threat modeling consists of 5 basic steps:

1. Identify Security Objectives

2. Survey the Application

3. Decompose it

4. Identify Threats

5. Identify Vulnerabilities