A worked example: Scope in the backlog
When they voted, the team decided that three threats
were the most risky- and worthy of fixes.
Authorisation bypass direct to API
Although the user has to be logged in to see the page (is authenticated), the team realised
there is nothing to stop unauthenicated requests direct to the API. This would have been a
pretty major flaw if it had made it into production! The team had not spotted it before
They added the following acceptance criteria to the story so it can be tested explicitly
as part of story sign-off.
GIVEN an API request from the single page app to the API
WHEN there is no valid authorisation token for the current user included in the request
THEN the API request is rejected as unauthorised
XSS or injection via user input
The user profile feature allows user input for personal details, addresses and delivery
preferences. These details are interpreted by various legacy backend systems which may be vulnerable
to SQL and XML injection attacks.
The team knew that they would be implementing a lot of features in coming iterations which accept input
from the user and store it in the backend. Rather than add these kinds of checks to every single story they
added the following to the team's definition of done. These means it can be checked for at
story sign-off consistently.
All API changes tested for sanitisation of XSS, SQL and XML injection
Denial of service from Internet
The security specialist
who attended the session from the cyber risk team advised that loss of revenue due to distributed
denial of service by online criminals had been highlighted in their work.
Given this requirement involves integrating the software with a third-party security service, in this
case a content delivery network- the team wrote a specific story to capture the required work. The security
specialist agreed to pair with the team on implementation.
As a cyber risk specialist
I need all Internet facing UI and API requests to pass through the Content Delivery Network
So that we can mitigate loss of revenue due to denial of service by criminals
With the work defined and ready to be added to the backlog, the threat modelling session is complete.
Until next time!