Threat Model Name:
Owner:
Reviewer:
Contributors:
Description:
Assumptions:
External Dependencies:
| Not Started | 8 |
| Not Applicable | 0 |
| Needs Investigation | 0 |
| Mitigation Implemented | 0 |
| Total | 8 |
| Total Migrated | 0 |
| Not Started | 8 |
| Not Applicable | 0 |
| Needs Investigation | 0 |
| Mitigation Implemented | 0 |
| Total | 8 |
| Total Migrated | 0 |
| Category: | Spoofing |
| Description: | SQL Database may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SQL Database. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Does OS Process or SQL Database take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | If OS Process is given access to memory, such as shared memory or pointers, or is given the ability to control what Browser Client executes (for example, passing back a function pointer.), then OS Process can tamper with Browser Client. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Browser Client may be able to impersonate the context of OS Process in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | OS Process may be able to impersonate the context of Browser Client in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database may be spoofed by an attacker and this may lead to incorrect data delivered to OS Process. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Improper data protection of SQL Database can allow an attacker to read information not intended for disclosure. Review authorization settings. |
| Justification: | <no mitigation provided> |