Abuse Cases

In software development, it’s common for requirements or ticket acceptance criteria to specify things like:

  • The application must be secure.
  • The application must defend against all attacks targeting this category of application.
  • The application must defend against attacks from the OWASP TOP 10.

Such statements (even the last one) are overly broad and generic, which make them useless to software developers.

In order to make security requirements actionable, one option is to write up possible abuse cases for all new features. Synopsys defines an Abuse Case as follows:

Misuse and abuse cases describe how users misuse or exploit the weaknesses of controls in software features to attack an application.

This can lead to tangible business impact when a direct attack against business functionalities, which may bring in revenue or provide positive user experience, are attacked.

Abuse cases can also be an effective way to drive security requirements that lead to proper protection of these critical business use cases.

User Stories are good places to include Abuse Cases. By asking people to put themselves in an attacker’s mindset and come up with concrete examples of how a feature may be exploited, it becomes possible to come up with concrete risks that require mitigation.

Examples

  • As an attacker, I have access to hundreds of millions of valid username and password combinations from leaked password dumps to use for credential stuffing.
  • As an attacker, I have default administrative account lists, automated brute force, and dictionary attack tools I use against login areas of the application and support systems.
  • As an attacker, I manipulate session tokens using expired and fake tokens to gain access.
  • As an attacker, I exploit Cross-Origin Resource Sharing CORS misconfiguration allowing unauthorized API access.
  • As an attacker, I include hostile content in an XML document which is uploaded to the application or system to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.
  • As an attacker, I access APIs with missing access controls for POST, PUT and DELETE.

Separate technical and business abuse cases

It is important to take into account both Technical and Business kinds of abuse cases. Both types of abuse can lead to damage, but the mitigation strategies and the responsible people are likely quite different.

References