Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 1. Secure by Design > DEFINING THE SECURITY ENVIRONMENT

    1.3. DEFINING THE SECURITY ENVIRONMENT

    In order to start protecting your application against vulnerabilities, you need to know what the threats to the application are and which are the most important. Before you can even list the threats your application will face, you need to know something about the world the application finds itself in. We can define the application's world in terms of users (both legitimate and otherwise), objects of value that the application holds or accesses, and ways data gets in, around, and out of the application. These are the most important aspects of the threat model, because without a good understanding of the way the app will be used (and misused) there is no way to be sure that the vulnerabilities you invest time in protecting are important or even present in the app. There is no benefit in protecting against SQL injection attacks, for example, if the application does not communicate with a database.

    THREAT MODEL: THYTUNES MUSIC APPLICATION

    Throughout this section we'll look at the example of ThyTunes, a free Mac application that allows users to import their own music as well as to buy music from an online store. Music can be organized in the application's library into playlists and synchronized with the ThyTunes application on an iPhone. Music can also be shared over the network with other copies of ThyTunes. And of course the music can be played. None of the analyses for the ThyTunes application shown here will be complete, so see if you can think of any examples of attackers, assets, or threats that are not covered in this chapter. For each new example you think of, consider how important it is in relation to the listed examples; i.e., how important an attack using your new example would be to the application. Think, too, about whether any of the examples here or any examples you come up with are relevant to your own applications, and about applying the reasoning described here to your own app.



      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial