Chapter 6 DXp SeCurity Application-Specific Security Analysis In this stage we analyze the requirements of the DXP application and understand the security-related requirements. We perform the threat modeling by understanding the details of the following: • Identifying the main security objectives of the organization and the application • Types of users and their security needs • Data security needs • Details of sensitive operations • Details of client-side and server-side validations • Details of authentication and authorization Based on this, we will create security test cases. Let’s look at the threat profile of two key operations in a banking domain. We have considered “transaction management” and “funds transfer” scenarios for threat profiling here. Threat Profiling of Transaction Management in Banking DXP The main vulnerabilities in transaction management are as follows. We can create security test cases for testing these scenarios: • Using SQL injection attacks to tamper the transaction details (account number, account holder name, timestamp) and attempt to view/update/delete the transaction details of other users • Adding dummy or duplicate or incomplete or inaccurate transactions • Attempting to steal transaction details of other users through man- in- middle or CSRF attacks 195