Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
132<br />
<strong>Enterprise</strong> <strong>Library</strong> <strong>Test</strong> <strong>Guide</strong><br />
Identify Any Additional Security Notes<br />
Additional security notes are other threats or information that are not covered elsewhere.<br />
Table 6 lists the Logging Application Block additional security notes.<br />
Table 6: Logging Application Block Additional Security Notes<br />
No. Notes<br />
1 The configuration file or the custom configuration store should be protected by ACLs or, if<br />
possible, encrypted.<br />
2 The application must have the proper ACLs and privileges to log messages to different<br />
resources such as the event log, a database, a message queue, an SMTP server, and the<br />
file system. The application must also have the correct ACLs and privileges to raise WMI<br />
events.<br />
3 Log messages that contain sensitive information should be protected by ACLs or else<br />
encrypted.<br />
4 Log messages should be encrypted when sent over a network.<br />
Building the Threat Models<br />
After you have analyzed the application block, you can build the threat models.<br />
Threat models identify threats against specific resources, assets, and trust boundaries,<br />
pinpoint vulnerabilities, and provide countermeasures. Each table contains a STRIDE<br />
classification. STRIDE is the acronym used at Microsoft to categorize different threat<br />
types. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure,<br />
Denial of service, and Elevation of privilege. To learn more about STRIDE see Threats<br />
and Countermeasures in Improving Web Application Security: Threats and Countermeasures<br />
on MSDN.<br />
A DREAD table follows each threat model. DREAD stands for Damage potential,<br />
Reproducibility, Exploitability, Affected users, and Discoverability. In DREAD, you<br />
assign each of these categories a number that rates the potential risk it poses to your<br />
application. To learn more about DREAD, see Threat Modeling in Improving Web Application<br />
Security: Threats and Countermeasures on MSDN.<br />
Table 7 lists details about threat 1.<br />
Table 7: Logging Application Block Threat 1<br />
Threat 1<br />
Name<br />
Entry points<br />
Threat<br />
description<br />
Logging Application Block assemblies are not strong named.<br />
Tampering with assemblies<br />
Assemblies<br />
The Logging Application Block assemblies are not strong named.