Architecture (A2): SDL Activities and Best Practices 109
• Cryptography
How are you keeping secrets (confidentiality)? How are you
tamper-proofing your data or libraries (integrity)? How are you
providing seeds for random values that must be cryptographically
strong? Cryptography refers to how your application enforces confi-
dentiality and integrity.
• Exception Management
When a method call in your application fails, what does your appli-
cation do? How much do you reveal? Do you return friendly error
information to end users? Do you pass valuable exception informa-
tion back to the caller? Does your application fail gracefully?
• Auditing and Logging
Who did what and when? Auditing and logging refer to how your
application records security-related events.
4.3.3.6 The Generic Risk Model
Microsoft threat modeling processes such as STRIDE and DREAD may
not be appropriate for your application, and you may want to use other
threat risk models or modify the Microsoft processes for your own use,
adopting the most appropriate threat modeling methodologies for your
own organization. Using qualitative values such as high, medium, and
low can also help avoid the ranking becoming too subjective, as with the
numbering system used in DREAD.
These examples help in the calculation of the overall risk values by
assigning qualitative values such as high, medium, and low to likeli-
hood and impact factors. Here too, using qualitative values rather than
numeric ones as in the DREAD model helps avoid the ranking becoming
overly subjective.
An example of a more subjective model is the Generic Risk Model,
which takes into consideration the likelihood (e.g., the probability of an
attack) and the impact (e.g., damage potential) and is represented mathe-
matically as
13
Risk = Likelihood × Impact
The likelihood or probability is defined by the ease of exploitation, which
depends mainly on the type of threat and the system characteristics, and