Imagine your team has used three Cornucopia suits: Authentication, Authorization, and Data Validation & Encoding to identify threats pertinent to your project:
- Authentication: 3, 4, 8, 5
- Authorization: 5, 9, Q, K
- Data Validation & Encoding: 2, 7, 8
The next steps involve creating PBIs from these identified cards.
Prioritizing the Cards
Cornucopia inherently recommends sorting the cards by their value, providing a preliminary order. However, this prioritization can be adjusted based on specific project needs and insights.
- Authorization-K
- Authorization-Q
- Authorization-9
- Data Validation & Encoding-8
- Authentication-8
- Data Validation & Encoding-7
- Authorization-5
- Authentication-4
- Authentication-3
- Data Validation & Encoding-2
Lets use following three cards for detailed examination:
- Authorization-K
- Data Validation & Encoding-8
- Authentication-4
Scenario 1: Analyzing Authorization-K
While the development-team assumes that they implement server-side controls, they acknowledged that there is no logging in place that logs changes to the allocation of roles to the users. You wrote this on the scorecard for Authentication-K:
- “Add Logging to each change of role-allocation for a user”.
You simply create the Product Backlog Item: “Add logging to all changes of user-information in the application”.
Scenario 2: Analyzing Data Validation & Encoding-8
Without specific notes for this card, you rely solely on its identified relevance. The steps are as follows:
- Review the ASVS mapping provided on the card.
- Reference control 1.1.6 of the ASVS 4.0 standard, emphasizing the need for centralized security controls.
This review highlights the absence of a unified approach to sanitizing input data, prompting the creation of a PBI: “Establish a centralized mechanism for sanitizing all system input data.”
!! Consult the OWASP Cheat Sheet Series Index !!
The Cheat Sheet Series offers invaluable insights into securing software development. It’s recommended that the Technical Lead reviews the cheat sheets related to identified cards to uncover potential security gaps, benefiting from language-specific secure coding examples.
Scenario 3: Analyzing Authentication-4
The ease of enumerating user accounts, due to predictable email address patterns, is noted. Despite the inability to alter company email policies, it’s decided to acknowledge this threat and seek IT guidance on mitigation strategies. This scenario does not result in a new PBI.
Prioritizing Product Backlog Items
Security threats should be treated as any other backlog item, with the Technical Lead and Product Owner collaboratively prioritizing the PBIs.
