Content View

Contains the data structure used by the application.
Specurity Aspects
Name
Description
The system database should only accept statements that have been generated by the system itself. In order to avoid SQL-injection attacks within generated statements, parameterized queries should be used.
Prevents an attackers actions without the user’s consent.
Specification Elements
Name
Description
models how cross-site-request-forgery (CSRF) should be repelled.
Records how SQL injections (and others injection attacks) are prevented. In most programming languages, SQL prepared statements shield from SQL injection, but other solutions, as e.g., server-sided stored procedures could also be used.
Explains how the component is shielded from unvalidated input. The most secure way is to whitelist characters and not to accept anything else.
Denotes in which state of the application a certain component is used.

  • Security Aspects

    • SQL-Injection Prevention

      The system database should only accept statements that have been generated by the system itself. In order to avoid SQL-injection attacks within generated statements, parameterized queries should be used.
      Specification Elements:
      InjectionPrevention
      InputValidation
      Threats:
      Tampering with Data
      Information Disclosure
      Denial of Service
      Elevation of Privileges

    • Cross-Site-Request-Forgery Prevention

      Prevents an attackers actions without the user’s consent.
      Specification Elements:
      CSRFPrevention
      InputValidation
      Threats:
      Tampering with Data
      Repudiation
      Information Disclosure
      Denial of Service
      Elevation of Privileges

    Specification Elements

    • CSRFPrevention

      models how cross-site-request-forgery (CSRF) should be repelled.
      Applies to:
      Entity
      Component

    • InjectionPrevention

      Records how SQL injections (and others injection attacks) are prevented. In most programming languages, SQL prepared statements shield from SQL injection, but other solutions, as e.g., server-sided stored procedures could also be used.
      Applies to:
      Entity
      Component

    • InputValidation

      Explains how the component is shielded from unvalidated input. The most secure way is to whitelist characters and not to accept anything else.
      Applies to:
      Entity
      Component

    • UsedInStates

      Denotes in which state of the application a certain component is used.
      Applies to:
      Entity
      Component
      State