Shostack + Friends Blog Archive

 

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask:

A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow?

For example:

“An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops”

I don’t have a great answer, but I’m thinking someone else might have taken it on.

For Denial of Service attacks in the Microsoft SDL bug bar, we roughly to break things down to a matrix of (server, client, persistent/temporary). That doesn’t seem right for web apps. Is there a better approach, and perhaps even one that can translate into some good threat cards?

Originally published by adam on 9 Feb 2011
Last modified on 9 Feb 2011
Categories:   information security   product management   serious games   Software Engineering   Uncategorized  

One comment on "Elevation of Privilege (Web Edition) Question"

  • Pingback: Tweets that mention Emergent Chaos » Blog Archive » Elevation of Privilege (Web Edition) Question -- Topsy.com [link to http://topsy.com/emergentchaos.com/archives/2011/02/elevation-of-privilege-web-edition-question.html?utm_source=pingback&utm_campaign=L2 no longer works]

Comments are closed.