-
Notifications
You must be signed in to change notification settings - Fork 0
Required Security Functionalities
To ensure that every security requirement is met, we need to introduce some security functionalities to the project. These are derived from the Security Requirements and Objectives and the analysis of the Threat Assessment.
The webshop can only be used after registration and log-in, which means that user authentication is necessary. We decided that we will use password based authentication, because its widely used and fairly straightforward to implement in the current context. The user or administrator can initiate a password reset. This means that the user receives an email with a temporary password. After receiving this email, the user can use this password to log-in and change the password within 15 minutes.
To ensure a minimal security for the passwords a password policy is defined: a password should be at least 8 characters long.
The passwords have to be stored in a secure way. This is accomplished by hashing (PBKDF2 with a secure hash function) and salting (with a cryptographically secure random generator) the passwords.
To mitigate impersonation, database access is verified in the MySQL query by using certificates.
The communication channel between the server and the clients should be secure, which is ensured by HTTPS.
The server and client communication is session based, where secure information transmission is ensured by JWT (JSON web token), signed with asymmetric key.
Denial-of-Service attack is an attack in which the service is temporally disrupted or unavailable. The webshop shall be prepared against such attacks, which can be accomplished by rate limiting.
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System