SPRG Logs
Involve the right stakeholders, separate finding errors from fixing them, validate from different views, change the documentation type, build artifacts to validate against, and validate repeatedly.
Following these principles increases the quality of validation results:
Involveme...
Q What are the four ways to address threats in mitigation?
Redesign to eliminate it, apply a standard mitigation, invent a new one, or accept the risk — in that order of preference.
The four options, in order of preference:
Priority
Approach
Risk Level
1st
Redesign to eliminate
Lowest - threat gone
2nd
Apply standard mitigations...
Q What are the pitfalls of model complexity in threat modeling?
Too simple and the model just echoes your assumptions; too complex and it's unanalysable and gets rubber-stamped — aim for "represents reality" in between.
A threat model only teaches you something in a narrow band of fidelity: push it too far in either direction and it stops sur...
Q How do you calculate a DREAD score for a real vulnerability?
Rate each of the five factors 1/2/3, sum them, and band the total — e.g. stored XSS sums to 13 (High), a login timing leak to 7 (Low).
Walk through each DREAD factor and assign 1 (Low), 2 (Medium), or 3 (High), then sum.
Example — Stored XSS in a forum: an attacker saves a commen...
Q What is Elevation of Privilege in STRIDE and what security property does it violate?
Gaining capabilities you weren't granted (e.g. user → admin) — it violates Authorization.
Elevation of Privilege (EoP):
Aspect
Description
Property violated
Authorization
Definition
Gain capabilities without proper authorization
Examples
User gaining admin rights, esca...
Q How does the MVC pattern help with security?
By separating concerns, MVC centralizes input handling in Controllers and output encoding in Views — so validation and XSS defenses live in predictable, reviewable places.
* Input is validated in one place (Controller) and output encoded in one place (View), so security controls...
Q What are the core secure design principles?
Least Privilege, Defense in Depth, Minimize Attack Surface, Keep it Simple, Fail Securely, Traceability, Segmentation, Encrypt Everywhere, Use Proven Solutions, Defensive Programming.
* The core secure-design principles (Saltzer & Schroeder-rooted) fanning out from one centre. *...
Q How should security be integrated throughout the Software Development Life Cycle?
Attach a security activity to every phase — requirements, design, implementation, testing, deployment, maintenance — because a flaw is cheapest to fix in the phase that created it.
* A security activity at every SDLC phase — security requirements, threat modeling, secure coding/...
Q According to breach-pattern data, what kind of attack has become the dominant cause of breaches, and...
"System Intrusion" — sophisticated, often multi-step technical attacks — has overtaken social engineering and basic web attacks; the overwhelming majority are external actors after money.
Verizon's annual Data Breach Investigations Report (DBIR) tracks the patterns behind real br...
Q What are the key differences between Use Cases and User Stories?
A user story is small and agile ("As a ROLE I want GOAL so that BENEFIT", fits one sprint); a use case is bigger and plan-driven, documenting a whole flow with exceptions and pre/post-conditions.
They aren't rivals so much as the same idea at two zoom levels and in two cultures —...