S - Spoofing, identity steal, pretending to be someone else
T - Tampering - changing data, permissions, system access etc
R - Repudiation - injecting data that will be not valid for service - to protect use schema validation for instance
I - Information disclosure - capturing some part of the system and listen to requests, for instance hacker subscribe to an events service that send confidential data to all subscribers - to protect we can implement zero trust model, meaning that each part of the system (i.e microservice) will only trust verified users/services with valid tokens etc.
D - Denial of service - flooding the service with lots of request results in system not being able to fulfill request leading to delays/failures in response
E - Escalation of privilege - Performing actions that the currently authenticate user does not have permissions to
I just wanted to thank you for sharing your blog post on how to be a good developer! It's really helpful to understand how to do the right things and avoid the wrong things when you're a developer. This article really helped me out and I'm glad I found it!ReplyDelete