👮‍♂️ Node Security

👋 FYI, this note is over 6 months old. Some of the content may be out of date.
On this page

OWASP Top Ten

Node Jump to heading

Express middlewares Jump to heading

Threat modelling Jump to heading

STRIDE Jump to heading

Threat Desired property
Spoofing Authenticity
Tampering Integrity
Repudiation Non-repudiability
Information disclosure (privacy breach or data leak) Confidentiality
Denial of Service Availability
Elevation of Privilege Authorisation

Attack tree Jump to heading

Attack trees are conceptual diagrams showing how an asset, or target, might be attacked. Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats. However, their use is not restricted to the analysis of conventional information systems. They are widely used in the fields of defense and aerospace for the analysis of threats against tamper resistant electronics systems (e.g., avionics on military aircraft).[1] Attack trees are increasingly being applied to computer control systems (especially relating to the electric power grid ).[2] Attack trees have also been used to understand threats to physical systems.

DREAD Jump to heading

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations[citation needed] it was abandoned by its creators [1]. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

← Back home