I have an API I am looking to perform threat modeling against. The API has a bunch of different task-based methods that largely fall into to overall scenarios:
Reads: Caller <===> API <===> Database
Modifications: Caller ===> API ===> Database
Should I model each API method separately as the input and output vary slightly (though not in a way that I see effects security) or is it sufficient to model the bidirectional operations and one-way operations?
Sounds like you should be taking a closer look at the modififications scenario to make sure callers do not change database state in unexpected ways. Modeling the scenarious seperately will result in more threats being generated by the tool and unless you see value in going through an extra set of threats for the additional dataflow, you can avoid drawing the second data flow.
If API has all methods dealing with the same sensitive data level, I would not employ a detailed analysis. However, if some methods deal with public data and others with sensitive data such as PII (Personally identifiable information), it’s reasonable to analyze then separately, since their risks are very different.
Fabricio Braz (PhD)
- 已建议为答案 SDL TeamModerator 2011年11月16日 21:10