| |
|
NORA-1: External |
Client application |
| |
|
Client application |
API endpoint |
| |
|
NORA-4: Back Office |
API endpoint |
| |
|
AC-12: Session Termination |
CAPEC-125: Flooding |
| |
|
AC-4(25): Information Flow Enforcement | Data Sanitization |
SP-TE-29: Web application attacks or code injection attack |
| |
|
SI-3: Malicious Code Protection |
SP-TE-29: Web application attacks or code injection attack |
| |
|
SC-5: Denial-of-service Protection |
CAPEC-125: Flooding |
| |
|
CM-7: Least Functionality |
SP-TE-27: Exploit hardware or platform vulnerabilities |
| |
|
AU-2: Event Logging |
CAPEC-125: Flooding |
| |
|
AC-3: Access Enforcement |
SP-TE-36: Unauthorized changes or manipulation of information data records |
| |
|
SI-10: Information Input Validation |
SP-TE-29: Web application attacks or code injection attack |
| |
|
SC-6: Resource Availability |
CAPEC-125: Flooding |
| |
|
SC-13: Cryptographic Protection |
SP-TE-23: Adversary in the middle attack or network traffic modification |
![1. API inbound security pattern [Threat Model]](../images/id-c9ff28a00e9145f9acfb9b52b35ce012.png)