69 threats have been elicited. (54 different threat sources and a total of 5
involved locations.)

Used rule collections:
BSI rule collection (15 elicited threats).
STRIDE rule collection (14 elicited threats).
LINDDUN rule collection (40 elicited threats).

#1 Threat source: Hashing of Passwords
   (BSI rule)

             Description: Passwords must be hashed
                Severity: 2.0
        Long Description: Passwords MUST NOT be stored in plain text. Passwords
                          MUST be stored using a sever side secure salted hash
                          algorithm. According to the BSI technical guideline
                          TR-02102, these include: SHA-256, SHA-512/256,
                          SHA-384, SHA-512, SHA3-256, SHA3-384, SHA3-512.
                          BSI IT-Grundschutzkompendium ID: ORP.4.A23, CON.8.A5,
                          CON.10.A7, APP.3.1.A14, APP.3.2.A5, APP.4.2.A13,
                          APP.4.3.A3, SYS.1.6.A8, NET.3.1.A1, NET.3.2.A4
       Mitigation Option: Check that one of the recommended hashing methods is
                          used
             Requirement: Hash function: one of {SHA3_256, SHA3_384, SHA3_512,
                          SHA_256, SHA_384, SHA_512, SHA_512_256}
           Locations: (1)
                          Database:
                            Attribute missing: Stores credentials
                            Attribute missing: Hash function
                          Management State: Undecided


#2 Threat source: Input Validation
   (BSI rule)

             Description: Input Validation
                Severity: 2.0
        Long Description: All data transmitted to a web application is
                          potentially dangerous. All input data, data streams,
                          and secondary data, such as session IDs, MUST be
                          validated on the server side before further
                          processing. Incorrect input preferably SHOULD NOT be
                          handled automatically (sanitizing). If this cannot be
                          avoided, sanitizing MUST be implemented securely.
                          BSI IT-Grundschutzkompendium ID: CON.8.A5, CON.10.A8
       Mitigation Option: Validate all input data
             Requirement: Input data and Input validation and (not Sanitization
                          or (Sanitization and Sanitization secure))
           Locations: (1)
                          Application:
                            Attribute missing: Input data
                            Attribute missing: Input validation
                            Attribute missing: Sanitization
                            Attribute missing: Sanitization secure
                          Management State: Undecided


#3 Threat source: Integrity of External Entities
   (BSI rule)

             Description: Integrity check of external elements
                Severity: 2.0
        Long Description: External components and data from external elements
                          MUST be checked for their integrity and
                          vulnerabilities. Integrity MUST be verified using
                          checksums or cryptographic certificates. Outdated
                          versions of external components SHOULD NOT be used.
                          BSI IT-Grundschutzkompendium ID: CON.8.A20
       Mitigation Option: Use checksums or digital certificates to verify
                          integrity
             Requirement: Integrity check: one of {check sum, digital
                          certificate, ECDSA}
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Integrity check
                          Management State: Undecided


#4 Threat source: Least Privileges
   (BSI rule)

             Description: Only grant necessary permissions
                Severity: 2.0
        Long Description: Processes MUST be able to be executed with the fewest
                          possible privileges.Users SHOULD only be granted the
                          authorizations necessary to perform their tasks.
                          BSI IT-Grundschutzkompendium ID: CON.8.A5
       Mitigation Option: Check whether all granted rights are necessary
             Requirement: Required permissions same as Given permissions
           Locations: (2)
                          User:
                            Attribute missing: Required permissions
                            Attribute missing: Given permissions
                          Management State: Undecided

                          Application:
                            Attribute missing: Required permissions
                            Attribute missing: Given permissions
                          Management State: Undecided


#5 Threat source: Untrustworthy Data Flow
   (BSI rule)

             Description: Transport protocol for connections outside the trust
                          boundary
                Severity: 2.0
        Long Description: Data flows that are crossing trust boundaries, MUST
                          use a secure transport protocol to maintain data
                          confidentiality. According to the technical guideline
                          BSI TR-02102, these are: IPsec, MLS, SRTP, SSH-2, TLS
                          1.2 and TLS 1.3.
                          BSI IT-Grundschutzkompendium ID: APP.3.2.A11,
                          NET.1.1.A7
       Mitigation Option: Employ TLS
             Requirement: Transport protocol: one of {HTTPS, IPsec, MLS, SRTP,
                          SSH-2, TLS 1.2, TLS 1.3}
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transport protocol
                          Management State: Undecided


#6 Threat source: Authentication Protocols for SAN fabric
   (BSI rule)

             Description: Ensuring storage integrity through secure protocols
                Severity: 1.0
        Long Description: To ensure the integrity of the storage solution,
                          protocols with additional security features SHOULD be
                          used and configured accordingly. These include:
                          DH-CHAP, FCAP, FCPAP.
                          BSI IT-Grundschutzkompendium ID: SYS.1.8.A24
       Mitigation Option: Check that one of the recommended protocols is used
             Requirement: Authentication protocol: one of {DH_CHAP, FCAP, FCPAP}
           Locations: (1)
                          Database:
                            Attribute missing: Is SAN fabric
                            Attribute missing: Authentication protocol
                          Management State: Undecided


#7 Threat source: Detectable Events
   (LINDDUN rule)

             Description: Detecting side effects or communications triggered by
                          application events
                Severity: 1.0
        Long Description: Various (unknown) side effects may lead to the
                          detection of used applications or user actions. This
                          can include log files on a shared system, traces of
                          temporary files by deleted applications or the size of
                          data. Sensitive information may be deduced from the
                          observation of these side effects.
                          LINDDUN card ID: D3
       Mitigation Option: Ensure that all log files get deleted and that deleted
                          data doesn't leave traces
       Mitigation Option: Dummy traffic may be able to conceal the actual
                          traffic
             Requirement: Leaves usage traces = False
           Locations: (2)
                          Database:
                            Attribute missing: Leaves usage traces
                          Management State: Undecided

                          Application:
                            Attribute missing: Leaves usage traces
                          Management State: Undecided


#8 Threat source: Detectable Records
   (LINDDUN rule)

             Description: Detecting the existence of records in a system
                Severity: 1.0
        Long Description: Systems may unintentionally reveal the existence of
                          data by the way status messages respond to queries.
                          This is especially relevant with informational
                          messages, warnings or errors which respond differently
                          when an item does not exist compared to not having
                          access rights. An example would be an 'insufficient
                          access rights' error message revealing the existence
                          of a specific record. Even though no contents have
                          been leaked, the existence of certain items alone can
                          be a stepping stone to security threats.
                          LINDDUN card ID: D4
       Mitigation Option: Prevent information leakage by not revealing the
                          existence of items in system responses
             Requirement: Responses disclose information existence = False
           Locations: (2)
                          Database:
                            Attribute missing: Responses disclose information
                            existence
                          Management State: Undecided

                          Application:
                            Attribute missing: Responses disclose information
                            existence
                          Management State: Undecided


#9 Threat source: Detectable Service Usage
   (LINDDUN rule)

             Description: Detecting communication between a service and its
                          users
                Severity: 1.0
        Long Description: If the communication from a user to a service can be
                          observed, information may be inferred from that. For
                          example, communication with the Tor network can be
                          detected even though the destination is concealed.
                          Especially in sensitive contexts (medical,
                          whistleblower) the detection of service usage alone
                          may have a severe impact.
                          LINDDUN card ID: D2
       Mitigation Option: Minimize communications outside of private networks
       Mitigation Option: Transmit decoy data
             Requirement: Every communication outside of trust boundaries with
                          property: 'Is private network = True' will trigger
                          this rule
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Is private network
                          Management State: Undecided


#10 Threat source: Detectable Users
    (LINDDUN rule)

             Description: Inferring the existence of a user from the system's
                          response
                Severity: 1.0
        Long Description: Systems may unintentionally reveal the existence of a
                          user by the way status messages respond to queries.
                          This is especially relevant with informational
                          messages, warnings or errors which respond differently
                          when a user does not exist compared to not having
                          access rights. An example would be a 'wrong password'
                          error message revealing the existence of the account.
                          Even though no contents have been leaked, the
                          existence of certain items alone can be a stepping
                          stone to security threats.
                          LINDDUN card ID: D1
       Mitigation Option: Prevent information leakage by not revealing the
                          existence of items in system responses
             Requirement: Responses disclose information existence = False
           Locations: (2)
                          Database:
                            Attribute missing: Responses disclose information
                            existence
                            Attribute missing: Handles user data
                          Management State: Undecided

                          Application:
                            Attribute missing: Responses disclose information
                            existence
                            Attribute missing: Handles user data
                          Management State: Undecided


#11 Threat source: Encryption of Confidential Data
    (BSI rule)

             Description: Confidential data must be encrypted
                Severity: 1.0
        Long Description: Confidential data SHOULD be encrypted using a secure
                          cryptographic method. According to the technical
                          guideline BSI TR-02102, these include: AES-128,
                          AES-192, AES-256.
                          BSI IT-Grundschutzkompendium ID: CON.8.A5, CON.10.A18
       Mitigation Option: Check that one of the recommended encryption methods
                          is used
             Requirement: Encryption method: one of {AES_128, AES_192, AES_256}
           Locations: (1)
                          Database:
                            Attribute missing: Handles confidential data
                            Attribute missing: Encryption method
                          Management State: Undecided


#12 Threat source: Excessive Amount of Data Collected
    (LINDDUN rule)

             Description: The system acquires more data than strictly needed for
                          its functionality
                Severity: 1.0
        Long Description: It should be considered if the amount of data
                          collected is too large, the processing happens too
                          frequently or if there are more data subjects involved
                          than necessary. For example, posts on social networks
                          may include personal data about other individuals.
                          Processing excessive amounts of data poses a bigger
                          risk as it may give way to privacy threats such as
                          pattern analysis.
                          LINDDUN card ID: DD2
       Mitigation Option: Evaluate whether regular data collection is necessary
                          for the system's functionality.
             Requirement: Only necessary data collected = True
           Locations: (2)
                          Database:
                            Attribute missing: Only necessary data collected
                          Management State: Undecided

                          Application:
                            Attribute missing: Only necessary data collected
                          Management State: Undecided


#13 Threat source: Excessively Sensitive Data Collected
    (LINDDUN rule)

             Description: The system acquires more sensitive or finegrained data
                          than strictly necessary for its functionality
                Severity: 1.0
        Long Description: It should be considered if certain data should really
                          be collected in terms of the data being too sensitive,
                          more fine-grained than strictly necessary or it being
                          unnecessary metadata. For example, a camera
                          application does not necessarily need to record the
                          pictures location. Processing excessively sensitive
                          data poses a bigger risk in case of potential data
                          breaches.
                          LINDDUN card ID: DD1
       Mitigation Option: Assess whether all the data is genuinely necessary for
                          providing the system's functionality
             Requirement: Only necessary data collected = True
           Locations: (2)
                          Database:
                            Attribute missing: Only necessary data collected
                            Attribute missing: Handles confidential data
                            Attribute missing: Handles personal data
                          Management State: Undecided

                          Application:
                            Attribute missing: Only necessary data collected
                            Attribute missing: Handles confidential data
                            Attribute missing: Handles personal data
                          Management State: Undecided


#14 Threat source: Generic Denial of Service Dataflow Rule
    (STRIDE rule)

             Description: Generic Denial of Service Threat
                Severity: 1.0
        Long Description: Denial of service refers to the threat of maliciously
                          overloading the resources of the system with the
                          intent of harming usability and making services
                          unavailable. The thrat violates the property of
                          availability.
           Locations: (1)
                          http_request: User -> Database:
                          Management State: Undecided


#15 Threat source: Generic Denial of Service Node Rule
    (STRIDE rule)

             Description: Generic Denial of Service Threat
                Severity: 1.0
        Long Description: Denial of service refers to the threat of maliciously
                          overloading the resources of the system with the
                          intent of harming usability and making services
                          unavailable. The thrat violates the property of
                          availability.
           Locations: (2)
                          Database:
                          Management State: Undecided

                          Application:
                          Management State: Undecided


#16 Threat source: Generic Elevation of Privilege Node Rule
    (STRIDE rule)

             Description: Generic Elevation of Privilege Threat
                Severity: 1.0
        Long Description: Elevation of privilege refers to the threat where an
                          adversary can gain unlawful authorization to systems
                          or data by escalating their level of privileges by
                          exploiting bugs or gaps in security. The threat
                          violates the property of authorization.
           Locations: (1)
                          Application:
                          Management State: Undecided


#17 Threat source: Generic Information Disclosure Dataflow Rule
    (STRIDE rule)

             Description: Generic Information Disclosure Threat
                Severity: 1.0
        Long Description: Information disclosure refers to the threat where data
                          leaves the confines of its supposed authority scope
                          and unauthorized contacts can access it. The threat
                          violates the property of confidentiality.
           Locations: (1)
                          http_request: User -> Database:
                          Management State: Undecided


#18 Threat source: Generic Information Disclosure Node Rule
    (STRIDE rule)

             Description: Generic Information Disclosure Threat
                Severity: 1.0
        Long Description: Information disclosure refers to the threat where data
                          leaves the confines of its supposed authority scope
                          and unauthorized contacts can access it. The threat
                          violates the property of confidentiality.
           Locations: (2)
                          Database:
                          Management State: Undecided

                          Application:
                          Management State: Undecided


#19 Threat source: Generic Repudiation Node Rule
    (STRIDE rule)

             Description: Generic Repudiation Threat
                Severity: 1.0
        Long Description: Repudiation refers to the threat where a contact does
                          not claim responsibility and rejects the confession of
                          a certain act like modifying data. The threat violates
                          the property of non-repudiability.
           Locations: (2)
                          User:
                          Management State: Undecided

                          Application:
                          Management State: Undecided


#20 Threat source: Generic Spoofing Node Rule
    (STRIDE rule)

             Description: Generic Spoofing Threat
                Severity: 1.0
        Long Description: Spoofing refers to the attack where an adversary gains
                          unauthorized access to data or a system by falsifying
                          their identity and pretending to be a trusted contact.
                          The threat violates the property of authenticity.
           Locations: (2)
                          User:
                          Management State: Undecided

                          Application:
                          Management State: Undecided


#21 Threat source: Generic Tampering Dataflow Rule
    (STRIDE rule)

             Description: Generic Tampering Threat
                Severity: 1.0
        Long Description: Tampering refers to the unlawful modification of data
                          or systems so that they pose a danger to normal users.
                          The threat violates the property of integrity.
           Locations: (1)
                          http_request: User -> Database:
                          Management State: Undecided


#22 Threat source: Generic Tampering Node Rule
    (STRIDE rule)

             Description: Generic Tampering Threat
                Severity: 1.0
        Long Description: Tampering refers to the unlawful modification of data
                          or systems so that they pose a danger to normal users.
                          The threat violates the property of integrity.
           Locations: (2)
                          Database:
                          Management State: Undecided

                          Application:
                          Management State: Undecided


#23 Threat source: Identifiable Data Flows
    (LINDDUN rule)

             Description: Data sent to the system is sufficiently revealing to
                          identify the user
                Severity: 1.0
        Long Description: Individuals may be identified through identifiable
                          attributes in user-submitted data. For example in a
                          feedback form.
                          LINDDUN card ID: I3
       Mitigation Option: Minimize transmission of user data
             Requirement: Transmits user data = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits user data
                          Management State: Undecided


#24 Threat source: Identifiable Data Requests
    (LINDDUN rule)

             Description: Communication contains (quasi-)identifiers
                Severity: 1.0
        Long Description: Individuals may be identified through
                          quasi-identifiers such as IP-address or email-address.
                          The use of pseudonyms to refer to individuals may also
                          lead to the identification of the person behind it.
                          The possibility of identification rises with the
                          amount of data connected with the quasi-identifier and
                          the number of services using it.
                          LINDDUN card ID: I4
       Mitigation Option: Remove unique identifiers
       Mitigation Option: Don't reuse identifiers in another service
             Requirement: Transmits unique user identifier = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits unique user identifier
                          Management State: Undecided


#25 Threat source: Identifiable Dataset
    (LINDDUN rule)

             Description: Stored data can be used to identify individuals
                Severity: 1.0
        Long Description: Individuals may be identified through connection of
                          unique references to an individual or their data. The
                          use of pseudonyms to refer to individuals may lead to
                          the identification of the person behind it. The
                          possibility of identification rises with the amount of
                          data connected with the quasi-identifier and the
                          number of services using it.
                          LINDDUN card ID: I5
       Mitigation Option: Minimize collection and storage of user data
       Mitigation Option: Don't reuse identifiers in another service
             Requirement: Handles user data = False
           Locations: (1)
                          Database:
                            Attribute missing: Handles user data
                          Management State: Undecided


#26 Threat source: Identifiable User Requests
    (LINDDUN rule)

             Description: The user can be identified because the data in their
                          requests can be used to infer who they are
                Severity: 1.0
        Long Description: Individuals may be identified through data sent to the
                          system. This data does not have to be identity
                          information but can still be unintentionally specific
                          to a user. Examples: looking up nearby businesses,
                          info about a rare illness or specific timing.
                          LINDDUN card ID: I2
       Mitigation Option: Minimize transmission of user data
             Requirement: Transmits user data = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits user data
                          Management State: Undecided


#27 Threat source: Identified User Requests
    (LINDDUN rule)

             Description: The incoming user requests contain data that directly
                          reveal the user identity
                Severity: 1.0
        Long Description: Individuals may be identified directly through data
                          sent to the system such as their full name. Identified
                          data can severely amplify the impact of future data
                          breaches and needs stronger security measures.
                          LINDDUN card ID: I1
       Mitigation Option: Minimize transmission of user identities
             Requirement: Transmits user identity = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits user identity
                          Management State: Undecided


#28 Threat source: Improper Data Lifecycle Management
    (LINDDUN rule)

             Description: Data is not properly managed throughout its entire
                          lifecycle within the system
                Severity: 1.0
        Long Description: There should be a data lifecycle management policy
                          defined for the data processed within the system. The
                          policy should outline clear principles for each phase
                          of the lifecycle (creation, storage, sharing, usage,
                          archival, destruction). Improper data lifecycle
                          management can result in a loss of overview of the
                          data within the system and its maintanance, posing
                          concerns not only for privacy and data protection but
                          also security and availability.
                          LINDDUN card ID: Nc3
       Mitigation Option: Data lifecycle management is a continuous process that
                          must be consistently carried out as long as the system
                          is designed, developed, and used
             Requirement: Data lifecycle policy exists = True
           Locations: (1)
                          Test Name:
                            Attribute missing: Data lifecycle policy exists
                          Management State: Undecided


#29 Threat source: Insufficient Access
    (LINDDUN rule)

             Description: Data subjects do not have access to their personal
                          data
                Severity: 1.0
        Long Description: Users should be given the option to access their
                          collected personal information through the system or a
                          helpdesk. Lack of access may violate the legal rights
                          of data subjects.
                          LINDDUN card ID: U4
       Mitigation Option: Enable the user to access their personal data. (The
                          right to access is not always absolute. Limitations
                          may exist depending on applicable laws (e.g., trade
                          secrets, rights of other data subjects))
             Requirement: Own data access = True
           Locations: (1)
                          User:
                            Attribute missing: Own data access
                            Attribute missing: Is a user
                          Management State: Undecided


#30 Threat source: Insufficient Information when Sharing Data of Others
    (LINDDUN rule)

             Description: When sharing personal data of others, users are
                          insufficiently informed about the further data
                          processing
                Severity: 1.0
        Long Description: Data subjects should be sufficiently informed about
                          what kind of data of others is collected, the purposes
                          and methods of involved processing and with whom the
                          data is being shared in a clear and understandable
                          way. For example, a user posting a picture on social
                          media may not be aware that others in the picture are
                          automatically tagged with a facial recognition system.
                          Insufficient transparency means, users may not realize
                          they are unintentionally sharing personal data of
                          other individuals.
                          LINDDUN card ID: U2
       Mitigation Option: Data subjects must also be informed on any processing
                          of personal data from others
             Requirement: Informs about data collection = True
           Locations: (1)
                          User:
                            Attribute missing: Informs about data collection
                            Attribute missing: Is a user
                          Management State: Undecided


#31 Threat source: Insufficient Privacy Controls
    (LINDDUN rule)

             Description: Data subjects have insufficient controls to manage
                          their preferences
                Severity: 1.0
        Long Description: Users should be given the option to configure what
                          personal data is processed and for what purposes. They
                          should also be able alter their preferences
                          afterwards. Appropriate control mechanisms are
                          required to record data subject preferences and keep
                          track of how the data may be further processed.
                          LINDDUN card ID: U3
       Mitigation Option: Privacy-frendly settings should be the default.
       Mitigation Option: Nudging can raise awareness and induce more
                          privacy-preserving behaviour.
             Requirement: Personal data preferences = True
           Locations: (1)
                          User:
                            Attribute missing: Personal data preferences
                            Attribute missing: Is a user
                          Management State: Undecided


#32 Threat source: Insufficient Rectification or Erasure
    (LINDDUN rule)

             Description: Data subjects cannot rectify or erase their personal
                          data
                Severity: 1.0
        Long Description: Users should be given the option to correct or delete
                          their collected personal data. For example, when a
                          user deletes his social media account, the data should
                          be deleted and not just the account disabled.
                          LINDDUN card ID: U5
       Mitigation Option: Enable the user to correct or delete their personal
                          data. (Rectification or erasure can also be performed
                          indirectly (e.g., through a customer service ticket))
             Requirement: Own data modification = True
           Locations: (1)
                          User:
                            Attribute missing: Own data modification
                            Attribute missing: Is a user
                          Management State: Undecided


#33 Threat source: Insufficient Security of Processing
    (LINDDUN rule)

             Description: Data security measures and processes do not adhere to
                          risk and security management best practices and
                          standards
                Severity: 1.0
        Long Description: There should be a process established to manage
                          security risks and identify required countermeasures.
                          The system should then incorporate the required
                          countermeasures while regarding industry standards and
                          best practices.
                          LINDDUN card ID: Nc4
       Mitigation Option: Consider complementary methods like security threat
                          modeling
             Requirement: Security standards compliance = True
           Locations: (1)
                          Test Name:
                            Attribute missing: Security standards compliance
                          Management State: Undecided


#34 Threat source: Insufficient Transparency
    (LINDDUN rule)

             Description: Data subjects are insufficiently informed about the
                          collection and processing of their personal data
                Severity: 1.0
        Long Description: Data subjects should be sufficiently informed about
                          what kind of personal data is collected, the purposes
                          and methods of involved processing and with whom the
                          data is being shared in a clear and understandable
                          way. For example, awareness about traffic cameras
                          collecting facial images next to number plates.
                          Insufficient transparency may lead to data subjects
                          being unaware about the utilization of their personal
                          data, influencing their right to privacy.
                          LINDDUN card ID: U1
       Mitigation Option: Data subjects must also be informed on any indirect
                          data collection, i.e. from third parties.
             Requirement: Informs about data collection = True
           Locations: (1)
                          User:
                            Attribute missing: Informs about data collection
                            Attribute missing: Is a user
                          Management State: Undecided


#35 Threat source: Linkable Dataset
    (LINDDUN rule)

             Description: Stored personal data can be linked to individuals
                Severity: 1.0
        Long Description: Data can contain a lot of different properties that,
                          when combined, pose quasi-identifiers enabling the
                          linking of data to unique individuals or groups. An
                          example would be querying average salary with a strict
                          set of criteria to reveal the salary of an individual
                          employee. Even if the properties do not reveal one's
                          identity directly, accumulated amounts of personal
                          data can lead to 'identifying' threats.
                          LINDDUN card ID: L4
       Mitigation Option: Minimize collection and storage of user data
             Requirement: Handles user data = False
           Locations: (1)
                          Database:
                            Attribute missing: Handles user data
                          Management State: Undecided


#36 Threat source: Linkable User Requests Through Combination
    (LINDDUN rule)

             Description: User requests can be linked because they contain
                          attributes that can be combined into quasi-identifiers
                Severity: 1.0
        Long Description: Many requests contain a lot of different properties
                          that, when combined, pose quasi-identifiers enabling
                          the linking to unique individuals or groups. Examples
                          for these properties: OS, browser, display size,
                          language. Even if the properties do not reveal one's
                          identity directly, accumulated amounts of personal
                          data can lead to 'identifying' threats.
                          LINDDUN card ID: L2
       Mitigation Option: Minimize user properties being transmitted
             Requirement: Transmits user properties = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits user properties
                          Management State: Undecided


#37 Threat source: Linkable User Requests Through Patterns
    (LINDDUN rule)

             Description: Patterns in the (meta)data contained in user requests
                          can be used to link them to each other
                Severity: 1.0
        Long Description: Profiles can be constructed to distinguish users from
                          one another and accumulate associated data.
                          Dinstinguishing can happen based on things like the
                          timing of messages, the writing style or other message
                          patterns. Even if this data does not reveal one's
                          identity directly, accumulated amounts of personal
                          data can lead to 'identifying' threats.
                          LINDDUN card ID: L3
       Mitigation Option: Transmit decoy requests
       Mitigation Option: Minimize user properties being transmitted
             Requirement: Transmits user data = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits user data
                          Management State: Undecided


#38 Threat source: Linked User Requests
    (LINDDUN rule)

             Description: User requests can be linked because they contain a
                          unique identifier
                Severity: 1.0
        Long Description: A unique identifier means different requests/data can
                          be linked to a singular user profile or a specific
                          group. Unique identifiers can exist globally or
                          locally, within the system or across the context
                          boundary. Examples: IP address or email address. Even
                          if the identifier does not reveal one's identity
                          directly, accumulated amounts of personal data can
                          lead to 'identifying' threats.
                          LINDDUN card ID: L1
       Mitigation Option: Remove unique identifiers
             Requirement: Transmits unique user identifier = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits unique user identifier
                          Management State: Undecided


#39 Threat source: Multi Factor Authentication
    (BSI rule)

             Description: Multi Factor Authentication
                Severity: 1.0
        Long Description: If authentication is required according to guidelines
                          CON.10.A16, APP.3.1.A1, and CON.8.A5 of the
                          IT-Grundschutzkompendium, the list of authentication
                          factors SHOULD include two or more elements.
                          BSI IT-Grundschutzkompendium ID:
       Mitigation Option: Add authentication factors
             Requirement: Authentication factors: count >= 2
           Locations: (2)
                          Database:
                            Attribute missing: Requires authentication
                            Attribute missing: Authentication factors
                          Management State: Undecided

                          Application:
                            Attribute missing: Requires authentication
                            Attribute missing: Authentication factors
                          Management State: Undecided


#40 Threat source: Multi Factor Authentication for High Security
    (BSI rule)

             Description: Authentication factors for high security requirements
                Severity: 1.0
        Long Description: If high security requirements exist, secure
                          multi-factor authentication SHOULD be used. For
                          example, with cryptographic certificates, chip cards
                          or tokens.
                          BSI IT-Grundschutzkompendium ID: ORP.4.A21, CON.8.A5
       Mitigation Option: Add authentication factors
             Requirement: Authentication factors: one of {PIN, OTP, Biometric
                          Data, Digital Certificate, Chip Card, Security Token}
           Locations: (2)
                          Database:
                            Attribute missing: Handles confidential data
                            Attribute missing: Authentication factors
                            Attribute missing: Requires authentication
                          Management State: Undecided

                          Application:
                            Attribute missing: Handles confidential data
                            Attribute missing: Authentication factors
                            Attribute missing: Requires authentication
                          Management State: Undecided


#41 Threat source: Non-Adherence to Privacy Standards
    (LINDDUN rule)

             Description: The system is not compliant with privacy standards and
                          best practices
                Severity: 1.0
        Long Description: The system should adhere to (industry) specific
                          privacy standards and implement them adequately.
                          Non-adherence to industry standards and best practices
                          makes it more difficult to demonstrate compliance with
                          applicable laws.
                          LINDDUN card ID: Nc2
       Mitigation Option: Check whether there is industry-specific guidance on
                          data processing for your sector (e.g., healthcare,
                          manufacturing)
             Requirement: Privacy standards compliance = True
           Locations: (1)
                          Test Name:
                            Attribute missing: Privacy standards compliance
                          Management State: Undecided


#42 Threat source: Non-Compliance of Processing with Applicable Regulations
    (LINDDUN rule)

             Description: The processing of personal data by the system is not
                          compliant with applicable privacy regulations
                Severity: 1.0
        Long Description: Processing and sharing of personal information must
                          adhere to jurisdictions in regions it is used in. For
                          example, the system must not process information of EU
                          citizens without a valid legal ground under GDPR.
                          LINDDUN card ID: Nc1
       Mitigation Option: Before processing any personal data, perform an
                          assessment on the applicable regulations for your
                          processing activities and system
             Requirement: Privacy regulation compliance = True
           Locations: (1)
                          Test Name:
                            Attribute missing: Privacy regulation compliance
                          Management State: Undecided


#43 Threat source: Non-Repudiation of Hidden Data or Metadata
    (LINDDUN rule)

             Description: Hidden or metadata in a document prevent users from
                          denying claims associated with it
                Severity: 1.0
        Long Description: Metadata, hidden data or specific patterns in stored
                          or transmitted data may lead to undesirable
                          deniability issues. For example, author or revision
                          metadata in documents or data watermarked with hidden
                          artifacts prevents users from denying claims about the
                          data.
                          LINDDUN card ID: Nr5
       Mitigation Option: Minimize included metadata
             Requirement: Stores user associated metadata = False
           Locations: (1)
                          Database:
                            Attribute missing: Stores user associated metadata
                          Management State: Undecided


#44 Threat source: Non-Repudiation of Receipt
    (LINDDUN rule)

             Description: Users cannot deny having received a message
                Severity: 1.0
        Long Description: If (passive) interactions with the system, such as
                          receiving a message, have side-effects like logging,
                          the deniability of receipt gets affected for the
                          recipient.
                          LINDDUN card ID: Nr3
       Mitigation Option: Don't require read receipts from the recipient
       Mitigation Option: Don't log user's browser histories
             Requirement: Logs receipt = False
           Locations: (1)
                          Application:
                            Attribute missing: Logs receipt
                          Management State: Undecided


#45 Threat source: Non-Repudiation of Sending
    (LINDDUN rule)

             Description: Users cannot deny having sent a message
                Severity: 1.0
        Long Description: Sent or uploaded data that is digitally signed affects
                          the individuals deniability. For example: signed
                          emails but also documents, requests, etc.
                          LINDDUN card ID: Nr2
       Mitigation Option: Don't require data to be signed
             Requirement: Transmits signed data = False
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transmits signed data
                          Management State: Undecided


#46 Threat source: Non-Repudiation of Service Usage
    (LINDDUN rule)

             Description: Users cannot deny having used a service because of
                          authentication or logged access
                Severity: 1.0
        Long Description: If a service stores credentials with identity
                          information, the individuals deniability gets
                          affected. For example: log files linking an entry in
                          an internal complaint system to an individual
                          employee.
                          LINDDUN card ID: Nr1
       Mitigation Option: If deniability is required, do not store the data at
                          all or remove any attributable data.
       Mitigation Option: Avoid credentials with identity information.
             Requirement: Logs access = False
           Locations: (1)
                          Application:
                            Attribute missing: Logs access
                          Management State: Undecided


#47 Threat source: Non-Repudiation of Storage
    (LINDDUN rule)

             Description: Users cannot deny claims about data stored in
                          non-repudiable storage
                Severity: 1.0
        Long Description: If data stored in a database is digitally signed, the
                          repudiation of users gets affected. An example would
                          be append-only storage systems like blockchains where
                          it is impossible for the data subject to later remove
                          their personal data.
                          LINDDUN card ID: Nr4
       Mitigation Option: Don't require data to be signed
             Requirement: Stores signed data = False
           Locations: (1)
                          Database:
                            Attribute missing: Stores signed data
                          Management State: Undecided


#48 Threat source: Overexposure of Personal Data
    (LINDDUN rule)

             Description: Personal data is shared with more services or external
                          parties than necessary
                Severity: 1.0
        Long Description: For personal data it should be considered to only send
                          it to recipients who need it, to not involve
                          unnecessary parties and keep the accessibility as low
                          as possible. For example, medical data should not be
                          made publicly available and location data from a
                          navigation application should not be propagated to the
                          calender or mail. Overexposure of personal data may
                          lead to unintended consequences, as others could reuse
                          the data for unforeseen purposes.
                          LINDDUN card ID: DD5
       Mitigation Option: Carefully assess the necessity of sharing personal
                          data and ensure that the involved parties genuinely
                          require access to that data.
             Requirement: Data sharing minimized = True
           Locations: (2)
                          Database:
                            Attribute missing: Data sharing minimized
                            Attribute missing: Handles personal data
                          Management State: Undecided

                          Application:
                            Attribute missing: Data sharing minimized
                            Attribute missing: Handles personal data
                          Management State: Undecided


#49 Threat source: Profiling Users
    (LINDDUN rule)

             Description: Users can be profiled by analyzing their data for
                          patterns
                Severity: 1.0
        Long Description: It may be possible to derive data about individuals by
                          analyzing their data. Adversaries could try to collect
                          as much detailed data as possible to link data that
                          wasn't intended to be linked. Example: Infering a
                          persons medical condition by the frequency of data
                          exchanges with a health monitoring machine.
                          LINDDUN card ID: L5
       Mitigation Option: Minimize collection and storage of user data
       Mitigation Option: Leave out unnecessarily detailed data
             Requirement: Handles user data = False
           Locations: (1)
                          Application:
                            Attribute missing: Handles user data
                          Management State: Undecided


#50 Threat source: Secure HTTP Configuration
    (BSI rule)

             Description: Secure HTTP configuration for web applications
                Severity: 1.0
        Long Description: To protect against clickjacking, cross-site scripting
                          and other attacks, suitable HTTP response headers
                          SHOULD be used. At least Content-Security-Policy,
                          Strict-Transport-Security, Content-Type,
                          X-Content-Options and Cache-Control. The HTTP headers
                          SHOULD be tailored to the web application and SHOULD
                          be as restrictive as possible. For cookies, the
                          attributes Secure, SameSite and HttpOnly SHOULD be
                          set.
                          BSI IT-Grundschutzkompendium ID: CON.10.A14,
                          APP.3.1.A21
       Mitigation Option: Check that all required HTTP response headers are set
             Requirement: HTTP Cache Control = True, HTTP Content Security
                          Policy = True, HTTP Content Type = True, HTTP Cookie
                          HttpOnly = True, HTTP Cookie SameSite = True, HTTP
                          Cookie Secure = True, HTTP Strict Transport Security =
                          True, HTTP X Content Type Options = True
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Transport protocol
                            Attribute missing: HTTP Cache Control
                            Attribute missing: HTTP Content Security Policy
                            Attribute missing: HTTP Content Type
                            Attribute missing: HTTP Cookie HttpOnly
                            Attribute missing: HTTP Cookie SameSite
                            Attribute missing: HTTP Cookie Secure
                            Attribute missing: HTTP Strict Transport Security
                            Attribute missing: HTTP X Content Type Options
                          Management State: Undecided


#51 Threat source: Signature of Logging Data
    (BSI rule)

             Description: Digital signature for logging data
                Severity: 1.0
        Long Description: Stored logging data SHOULD be digitally signed. The
                          recommended signature methods according to BSI's
                          technical guideline TR-02102 include: RSA, DSA, ECDSA,
                          ECKDSA, ECKCDSA, ECGDSA.
                          BSI IT-Grundschutzkompendium ID: OPS.1.1.5.A12
       Mitigation Option: Verify that logging data is signed using a recommended
                          method
             Requirement: Signature scheme: one of {DSA, ECDSA, ECGDSA, ECKDSA,
                          ECKCDSA, RSA}
           Locations: (1)
                          Database:
                            Attribute missing: Handles logs
                            Attribute missing: Signature scheme
                          Management State: Undecided


#52 Threat source: Unnecessary Data Analysis
    (LINDDUN rule)

             Description: Data is further processed, analyzed, or enriched in a
                          way that is not strictly necessary for the
                          functionality
                Severity: 1.0
        Long Description: A system should not enrich/analyze the data more than
                          it is necessary for the system's functionality. For
                          example, a camera application does not need to perform
                          face-based recognition. Processing of data can be used
                          to learn additional sensitive information.
                          LINDDUN card ID: DD3
       Mitigation Option: Evaluate which types of personal data processing are
                          necessary for providing the system's functionality.
             Requirement: Only necessary data analyzed = True
           Locations: (2)
                          Database:
                            Attribute missing: Only necessary data analyzed
                          Management State: Undecided

                          Application:
                            Attribute missing: Only necessary data analyzed
                          Management State: Undecided


#53 Threat source: Unnecessary Data Retention
    (LINDDUN rule)

             Description: Data is stored for longer than needed
                Severity: 1.0
        Long Description: If data is stored for a longer time than necessary it
                          poses a privacy risk in case of a data breach. For
                          example, storing email addresses of newsletter
                          subscribers long after they have unsubscribed.
                          LINDDUN card ID: DD4
       Mitigation Option: Evaluate your storage policies. Consider how long you
                          store personal data and whether you have a process to
                          remove data you no longer need.
             Requirement: Data retention minimized = True
           Locations: (1)
                          Database:
                            Attribute missing: Data retention minimized
                          Management State: Undecided


#54 Threat source: Use of Proxies
    (BSI rule)

             Description: Use of TLS/SSL proxies
                Severity: 1.0
        Long Description: TLS/SSL proxies SHOULD be deployed at the gateways to
                          external networks to check transmitted data for
                          malware. These proxies SHOULD be protected against
                          unauthorized access. Security-relevant events SHOULD
                          be detected automatically.
                          BSI IT-Grundschutzkompendium ID: DER.1.A10
       Mitigation Option: Employ proxies
             Requirement: Uses proxy = True
           Locations: (1)
                          http_request: User -> Database:
                            Attribute missing: Uses proxy
                          Management State: Undecided


References:

BSI rule collection:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-GS-Kompendium
/checklisten_2023.html

STRIDE rule collection:
https://learn.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=c
s.20)

LINDDUN rule collection:
https://linddun.org/
https://downloads.linddun.org/linddun-go/default/v241203/go.pdf
