SWE210 Software Security Week 6

A collection of vocabulary flashcards summarizing key concepts from the Software Security lecture on Threat Modeling.

Threat Modeling

The process of systematically analyzing a system for vulnerabilities.

Vulnerability

A weakness in a system that can be exploited by threats.

Specification Phase

The early design phase where threat modeling is most effective.

Security Push

A collective effort by team members to meet security goals during development.

Data Flow Diagram (DFD)

A tool used to track the origin, transformation, and storage of data within a system.

Interactors

Agents existing outside the system, providing input and consuming output.

Processors

Locations in a program where data is transformed or where checks are performed.

Trust Boundaries

Areas of differing levels of security or trust within a system.

DFD Symbols

Visual representations used in Data Flow Diagrams to denote various system components.

Spoofing

Pretending to be someone else to gain unauthorized access to systems or data.

Tampering

Changing data maliciously to achieve unauthorized outcomes.

Repudiation

Denying or disallowing an action, usually hiding tracks post-attack.

Information Disclosure

Exposing confidential data to unauthorized individuals.

Denial of Service (DoS)

An attack that makes a service unavailable to legitimate users.

Elevation of Privilege

Gaining higher access levels than normally permitted.

Threat Trees

Graphical representations showing root attacks that may lead to subsequent threats.

D.R.E.A.D

A risk assessment model considering Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.

Mitigation

The process of reducing or removing threats from a system.

SQL Injection

A code injection technique that attackers use to exploit vulnerabilities in databases.

Brute-force Attack

A method of trying multiple password combinations to gain unauthorized access.

Security Checkpoints

Points in the system that help verify and ensure data integrity and security.

Internal Threats

Risks originating from within an organization, such as employees mishandling data.

User Input

Data provided to the system by users, which can sometimes be exploited.

Access Control Mechanism

A system or method to regulate who can view or use resources within a computing environment.

Application Security

Measures and practices designed to protect applications from threats.

Iterative Process

A repetitive method working towards improvements over successive iterations.