diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..3bb8500 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,30 @@ +name: pdf-generation + +on: + push: + pull_request: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f + - name: create exercise PDF + run: | + sudo apt-get install -y pandoc texlive-latex-base texlive-fonts-recommended texlive-extra-utils texlive-latex-extra + cd '01 - Payments Exercise/' + pandoc README.md -o '../payment-exercise.pdf' + cd .. + - name: setup git config + run: | + # setup the username and email. I tend to use 'GitHub Actions Bot' with no email by default + git config user.name "GitHub Actions Bot" + git config user.email "<>" + + - name: commit and push + run: | + # Stage the file, commit and push + git add payment-exercise.pdf + git commit -m "new exercise commit" + git push diff --git a/01 - Payments Exercise/README.md b/01 - Payments Exercise/README.md index 7ff7cfc..2afe8a2 100644 --- a/01 - Payments Exercise/README.md +++ b/01 - Payments Exercise/README.md @@ -145,17 +145,27 @@ _Names of the folks in your group_ - Name #1 - Name #2 - Name #etc +Your names: +``` + + + + + + + + + +``` ### Goal - Find as many threats as possible, but report back your top three risks ### How? -- What are the assets in this feature? -- What do you want to protect? -- Are there areas of the system that a bad actor wants access to or go after? -- What is important to them? How can they take advantage? +- Where are trust boundaries? +- What is important to the entities around the boundaries? How can a threat agent take advantage? - Review the diagram and use STRIDE to discover threats/concerns/risks ### Diagram @@ -183,12 +193,6 @@ Which assumptions did you make? - VISA means any payment processor, not just VISA - _Add your own assumptions here_ -### Assets - -- Asset #1 -- Asset #2 -- Asset #etc - ### Threats _Security controls have been highlighted in green below, feel free to add your threats to the list below and shade them red._ @@ -199,36 +203,140 @@ _Security controls have been highlighted in green below, feel free to add your t - _Billing Service uses a token stored in a secrets store to connect with VISA_ - Example bad thing that might happen +Your threats: +``` + + + + + + + + + + +``` #### Tampering - _Billing Service has very strong input validation controls, it would be nearly impossible to tamper with the individual fields (Credit Card Number, Expiry, etc) to get a Stored XSS or SQL injection vulnerability_ - Example bad thing that might happen +Your threats: +``` + + + + + + + + + + +``` #### Repudiation - _We are logging information of who updated the Payment Information, when they updated it in the Billing Logs_ - Example bad thing that might happen +Your threats: +``` + + + + + + + + + + +``` #### Information Disclosure - _Billing Database’s disk is encrypted at rest to protect against AWS employees stealing hard drives_ - Example bad thing that might happen +Your threats: +``` + + + + + + + + + + +``` #### Denial of Service - _Gateway API has a rate limiter in place to ensure that a Workspace Owner cannot exceed 100/min_ - Example bad thing that might happen -#### Elevation of Privilege +Your threats: +``` + + + + + + + + + +``` +#### Elevation of Privilege - Example bad thing that might happen +Your threats: +``` + + + + + + + + + + +``` #### Other Security questions/thoughts? - This is a bad thing that might happen, but it doesn’t really fall into STRIDE +Your questions/thoughts: +``` + + + + + + + + + + +``` #### Top 3 Risks - Risk#1 - Risk#2 - Risk#3 + +Your top 3 risks: +``` + + + + + + + + + + +``` \ No newline at end of file diff --git a/payment-exercise.pdf b/payment-exercise.pdf new file mode 100644 index 0000000..3c0e688 Binary files /dev/null and b/payment-exercise.pdf differ