Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Test</strong>ing for Security Best Practices 141<br />
Threat 11<br />
STRIDE<br />
classification<br />
Risk<br />
Mitigation<br />
Investigative notes<br />
Altering the log file’s directory path in the configuration file<br />
Tampering, Denial of Services, Elevation of Privileges<br />
High<br />
No<br />
None<br />
Table 28 lists the DREAD rating for threat 11.<br />
Table 28: Threat 11 DREAD Rating<br />
D R E A D Total Rating<br />
3 3 2 3 3 14 High<br />
Table 29 lists details about threat 12.<br />
Table 29: Logging Application Block Threat 12<br />
Threat 12<br />
Name<br />
Entry points<br />
Threat<br />
description<br />
Countermeasures<br />
STRIDE<br />
classification<br />
Risk<br />
Mitigation<br />
Investigative<br />
notes<br />
The Debug.Assert statements can cause a denial of service when the<br />
application is in debug mode<br />
Debug.Assert statements halt code while in debug mode<br />
Public classes and static methods<br />
The LogEntry public class has a static method named GetProcessName.<br />
The method uses the NativeMethods class to retrieve the name of the<br />
current process. (The NativeMethods class calls unmanaged APIs.) If an exception<br />
is thrown inside a call to unmanaged code and the process name is<br />
not properly returned, the Debug.Assert statement displays a message box.<br />
This message box requires a user to select Abort, Retry, or Ignore before<br />
the application can proceed. This can constitute a denial of service attack<br />
in the case of service applications.<br />
Remove all Debug.Assert statements from the Logging Application Block<br />
code before it is shipped.<br />
Denial of Services<br />
High<br />
No<br />
The following code shows an example of a Debug.Assert statement that<br />
should be removed.<br />
public static string GetProcessName()<br />
{<br />
StringBuilder buffer = new StringBuilder(1024);<br />
int length = NativeMethods.GetModuleFileName(NativeMethods<br />
.GetModuleHandle(null), buffer, buffer.Capacity);<br />
Debug.Assert(length > 0);<br />
//This line can halt the code when in debug mode.<br />
return buffer.ToString();<br />
}