Enterprise Library Test Guide - Willy .Net

More documents

Recommendations

Info

Testing for Security Best Practices 131 No. External Dependencies Descriptions 8 WMI The Logging Application Block uses WMI to raise events. 9 Performance counters The Logging Application Block uses performance counters to track its performance. Data Direction Push Push Trusted? Yes Yes Identify the Implementation Assumptions Implementation assumptions are premises about how the application block works. Implementers describe these assumptions when they write the specification for the application block and before they begin writing the code. Typically, these assumptions are reviewed again once the implementation is complete. Table 5 lists the implementation assumptions about the Logging Application Block. The term “application” refers to the application that uses the Logging Application Block. Table 5: Logging Application Block Implementation Assumptions No. Category Assumptions 1 ACLs for event log The event log’s ACLs protect the log against unauthorized users and processes. 2 Database access privileges 3 Message queuing access privileges 4 File system privileges 5 SMTP server privileges The application has the appropriate privileges to access the database. The application has the appropriate privileges to access the message queues. The application has the appropriate privileges to access the file system. The application has the appropriate privileges to use the SMTP server to send e-mail messages. 6 WMI privileges The application has the appropriate privileges to raise WMI events. 7 The application that uses the Data Access Application Block to log messages to a database 8 Other subsystems and application blocks 9 Performance counters The application can identify and authorize the Data Access Application Block. In this case, “identify” means that the application can trust the Data Access Application Block assemblies. Authorization means that the application has the correct SQL Server permissions to allow the appropriate groups of users to read and write to the database. The Logging Application Block is dependent on the Enterprise Library Core for configuration information and the Data Access Application Block to use the Database Trace Listener. The Logging Application Block must ensure that it uses the correct Enterprise Library Core assemblies for configuration and the correct Data Access Application Block assemblies to log messages to a database. The Logging Application Block requires the necessary read and write access permissions to use the performance counters. continued
132 Enterprise Library Test Guide Identify Any Additional Security Notes Additional security notes are other threats or information that are not covered elsewhere. Table 6 lists the Logging Application Block additional security notes. Table 6: Logging Application Block Additional Security Notes No. Notes 1 The configuration file or the custom configuration store should be protected by ACLs or, if possible, encrypted. 2 The application must have the proper ACLs and privileges to log messages to different resources such as the event log, a database, a message queue, an SMTP server, and the file system. The application must also have the correct ACLs and privileges to raise WMI events. 3 Log messages that contain sensitive information should be protected by ACLs or else encrypted. 4 Log messages should be encrypted when sent over a network. Building the Threat Models After you have analyzed the application block, you can build the threat models. Threat models identify threats against specific resources, assets, and trust boundaries, pinpoint vulnerabilities, and provide countermeasures. Each table contains a STRIDE classification. STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. To learn more about STRIDE see Threats and Countermeasures in Improving Web Application Security: Threats and Countermeasures on MSDN. A DREAD table follows each threat model. DREAD stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. In DREAD, you assign each of these categories a number that rates the potential risk it poses to your application. To learn more about DREAD, see Threat Modeling in Improving Web Application Security: Threats and Countermeasures on MSDN. Table 7 lists details about threat 1. Table 7: Logging Application Block Threat 1 Threat 1 Name Entry points Threat description Logging Application Block assemblies are not strong named. Tampering with assemblies Assemblies The Logging Application Block assemblies are not strong named.
Page 1 and 2:
Enterprise Library Test Guide
Page 3 and 4:
ISBN 0-7356-2389-9 Information in t
Page 5 and 6:
iv Contents Testing the Logging App
Page 8 and 9:
Introduction Enterprise Library Tes
Page 10 and 11:
Introduction This section provides
Page 12 and 13:
Introduction Performing Code Revie
Page 14 and 15:
Introduction Setting Up the Crypto
Page 16:
Introduction Acknowledgments The f
Page 19 and 20:
12 Enterprise Library Test Guide Pr
Page 21 and 22:
14 Enterprise Library Test Guide De
Page 23 and 24:
16 Enterprise Library Test Guide Co
Page 25 and 26:
18 Enterprise Library Test Guide Th
Page 27 and 28:
20 Enterprise Library Test Guide Te
Page 30 and 31:
Testing the Caching Application Blo
Page 32 and 33:
Testing the Application Block 25 Pr
Page 34 and 35:
Testing the Application Block 27 Af
Page 36 and 37:
Testing the Application Block 29 Co
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Testing the Application Block 37 Te
Page 46 and 47:
Testing the Application Block 39 Te
Page 48 and 49:
Testing the Cryptography Applicatio
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Testing the Data Access Application
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Testing the Exception Handling Appl
Page 76 and 77:
Testing the Enterprise Library Core
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89: Testing the Enterprise Library Core
Page 90: Testing the Enterprise Library Core
Page 93 and 94: 86 Enterprise Library Test Guide Ta
Page 95 and 96: 88 Enterprise Library Test Guide De
Page 97 and 98: 90 Enterprise Library Test Guide Co
Page 103 and 104: 96 Enterprise Library Test Guide Te
Page 105 and 106: 98 Enterprise Library Test Guide Te
Page 108 and 109: Testing the Security Application Bl
Page 128: Testing the Security Application Bl
Page 131 and 132: 124 Enterprise Library Test Guide E
Page 133 and 134: 126 Enterprise Library Test Guide A
Page 135 and 136: 128 Enterprise Library Test Guide T
Page 137: 130 Enterprise Library Test Guide N
Page 151 and 152: 144 Enterprise Library Test Guide C
Page 157 and 158: 150 Enterprise Library Test Guide D
Page 159 and 160: 152 Enterprise Library Test Guide U
Page 163 and 164: 156 Enterprise Library Test Guide D
Page 166 and 167: Testing for Globalization Best Prac
Page 172: Testing for Globalization Best Prac
Page 175 and 176: 168 Enterprise Library Test Guide S
Page 179 and 180: 172 Enterprise Library Test Guide S
Page 181 and 182: 174 Enterprise Library Test Guide A
Page 187 and 188: 180 Enterprise Library Test Guide l
Page 189 and 190:
182 Enterprise Library Test Guide
Page 191 and 192:
Page 193 and 194:
186 Enterprise Library Test Guide T
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
192 Enterprise Library Test Guide I
Page 201 and 202:
194 Enterprise Library Test Guide O
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
200 Enterprise Library Test Guide P
Page 209 and 210:
202 Enterprise Library Test Guide C
Page 211 and 212:
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Page 223 and 224:
216 Enterprise Library Test Guide Y
Page 225 and 226:
218 Enterprise Library Test Guide A
Page 227 and 228:
Page 229 and 230:
Page 231 and 232:
Page 233 and 234:
Page 235 and 236:
228 Enterprise Library Test Guide t
Page 237 and 238:
230 Enterprise Library Test Guide F
Page 239 and 240:
Page 241 and 242:
234 Enterprise Library Test Guide R
Page 243 and 244:
236 Enterprise Library Test Guide L
Page 245 and 246:
Page 247 and 248:
240 Enterprise Library Test Guide G
Page 249 and 250:
242 Enterprise Library Test Guide S
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
248 Enterprise Library Test Guide t
Page 257 and 258:
Page 259 and 260:
252 Enterprise Library Test Guide V
Page 261 and 262:
Page 263 and 264:
Page 265 and 266:
258 Index requirements, 55 scalabil
Page 267 and 268:
260 Index initialization cost, 171
Page 269:
262 Index Total Transactions value,
show all

Enterprise Library Test Guide - Willy .Net

Create successful ePaper yourself

Delete template?

Save as template?