Your company sells toys online worldwide, which is supported by a three-tiered E-Commerce web-based system. As a security professional, you are participating in a threat modeling meeting. Which of the following is the least concern?
A. Processing in the business logic tier
B. Rendering output to the data tier
C. Accepting input from the presentation tier
D. Data flow between tiers
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Processing in the business logic tier.
It’s appropriate to treat threat modeling as risk management in software engineering. Threats to the application or software are identified, analyzed, evaluated, and treated. Threat modeling can be conducted at any stage of the software development life cycle. However, it’s common to review designs or architecture in the design stage. Designs such as data flow, network architecture, software architecture, and the like are reviewed to identify threat scenarios or attack vectors. The data flow diagram (DFD) is the most well-known diagram used in threat modeling.
Data flow happens between the input and output interfaces of the software or system components. Attack vectors are identified with the focus of data flow, input interface, and output interface. The total number of attack vectors is called the attack surface.
Processing in the business logic tier can be vulnerable, but it needs dynamic testing. Threat modeling that focuses on data flow is basically a static review, so it is not as effective as dynamic testing. As a result, processing in the business logic tier is the least concern when conducting threat modeling.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.