This section describes an overview of assets in Domain 5 on application-centric security. It includes an overview of assets and threats that span the full spectrum of applications. Major sources of information for this study are OWASP and SANS reports. It is important to note that this section does not consider applications providing functionalities for infrastructure/system/network management.
In this section, we discuss the threats that can be mapped to the application asset taxonomy. Our review was driven by the OWASP and SANS generic risk assessment. In general terms, threats, such as injection and application malfunctioning, may strongly affect IT in general. In fact, current IT systems are heavily based on applications/services composed at run time and therefore exposed to attacks and breaches. Also, attacks to hosting platforms (deliberate and intentional), failures/malfunctions (e.g. malfunction of the ICT supporting platform) can be important sources of risk. We introduce the major characteristics of the threat taxonomy, with a special focus on cyber-security threats; that is, threats applying to information and communication technology assets. We also consider threats not related to ICT and caused by humans during their activities.
A threat to application assets can be considered as “any circumstance or event that affects, often simultaneously, services and applications distributed over the Web”. The threat taxonomy is a consolidation of threats previously considered in other documents/reports   and is composed of the following category.
Threat T5.1.1: Security Misconfiguration
Security misconfiguration is one of the most exploited threats. Cyber attackers often try to exploit unpatched software, use default accounts, or unused pages to gain unauthorized access to systems. The problem can target systems at any layers and become then critical giving to the attacker the possibility of compromising the system and bypassing access control checks. This threat is related to threats in other domains: Threat T4.1.1 and Threat T4.1.2 in Data-Centric Security Threat T3.1.1 in System-centric Security, Threat T1.1.1 in Device/IoT-Centric Security.
Threat T5.2.1: Interception of information
The interception of information is another important threat that plague the application domain. This threat is horizontal and targets all domains involving weaknesses in network communications, system components and devices, data exchange, and users’ activities. In this domain, the interception of information is mainly due to weaknesses and flaws in the protocols for communication encryption (e.g., SSL). This threat is related to threats in other domains: Threat T4.1.1, Threat T4.2.1, and Threat T4.2.2 in Data-Centric Security, threat T3.2.1 in System-Centric Security, Threat T1.2.1 in Device/IoT-Centric Security.
Threat T5.2.2: Sensitive data exposure
Sensitive data exposure is a major plague for applications and is often the result of misconfigurations or weak security protection. Many web applications and APIs do not properly protect sensitive data. Rather than trying to decrypt an encrypted communication, cyber attackers try to intercept it, steal keys, access the cleartext. The most common weaknesses concern, not surprisingly, the store/exchange of sensitive data in plain text, as well as how crypto is employed (e.g., weak key generation and management, weak algorithm). This threat results in common sensitive data leakage and breaches both for data in transit and at rest. This threat is related to threats in other domains: Threats T4.1.1, T4.2.1, T4.2.2, T4.4.4 in Data-Centric Security, as well as T5.1.1 and T5.1.2 in this section.
Threat T5.3.1: Broken authentication and access control
Broken authentication and access control allow an attacker to compromise an application and often the entire system hosting it. As a consequence, a bug in the application functions implementing authentication and session management, as well as access control, result in catastrophic consequences, allowing attackers to compromise passwords, keys, or session tokens, assume other users’ identities. Restrictions on authorizations are also not properly enforced. Access control weaknesses are similar and permit unauthorized operations affecting the confidentiality and integrity of data and applications. This threat is related to threats in other domains: Threats XYZ in Device/IoT-Centric Security, as well as Threats XYZ in System-Centric Security.
Threat T5.3.2: Denial of service
Denial of service has been extensively discussed in both device/IoT-, network-, system-, and data-centric security. One of the main targets of denial of service is applications for a variety of reasons, economic, political, ideological, and the like. This threat is related to threats in other domains:
Threat T5.3.3: Code execution and injection (unsecure APIs)
Code execution and injection are common threats to applications. Unsecure APIs are supporting criminals in their malicious activities since the advent of the Internet and are increasing in importance since the advent of distributed services. This threat is related to threats in other domains: Threat T4.4.2 in Data-Centric Security, Threat T3.4.3 in System-Centric Security, and Threat T1.4.3 in Device/IoT-Centric Security.
Threat T5.3.4: Insufficient logging and monitoring
This threat supports criminals in going undetected. It reduces the performance of intrusion detection and attack identification, decreasing the response and remediation effectiveness.
Threat T5.3.5: Untrusted composition
This threat subsumes many other threats in this deliverable focusing specifically on composite services. Composite services, in fact, orchestrate atomic services to provide advanced functionalities. This composition, however, introduces new risks that go beyond the risks of atomic service. First of all, composite services could result in a compromise due to the combined information they have access to. Then, the composition of strong atomic services does not result in a strong composite service. Afterward, the strength of a composite service is the strength of the weakest atomic service. Finally, multiple communications and storages need to be protected at the time.
Threat T5.4.1: Violation of laws or regulations
Taking, also, into account the discussion above on violation of applicable laws, it can be argued the most relevant laws, in this case, are the GDPR and the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS). National laws of Member States can certainly apply, but those are, essentially, left outside the scope of this deliverable.
Assets: All assets.
Threat T5.5.1: Malicious insider
The insider threats are among the most critical security threats to be faced and can be distinguished in unintentional or malicious insiders It is quite shared the view that insider attacks may inflict larger damages than outside attackers. Their impact is also increasing due to the fact that, on one side, no effective security solutions exist for this threat and, on the other side, the value of data is increasing exponentially. Insiders are in fact authorized users with legitimate access to sensitive/confidential documents, possibly knowing existing vulnerabilities. Malicious insiders have therefore multiple incentives to carry out an attack that ranges from revenge to revenue when sensitive data are at their disposal.
 Cybersecurity – the Human Factor: Prioritizing People Solutions to improve the cyber resiliency of the Federal workforce. FISSEA. 2017. https://csrc.nist.gov/CSRC/media/Events/FISSEA-30th-Annual-Conference/documents/FISSEA2017_Witkowski_Benczik_Jarrin_Walker_Materials_Final.pdf
 ENISA, Cyber Security Culture in organizations. February 2018. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations
 Sametinger e J. W. Rozenblit, «Security Challenges for Medical Devices,» Communications of the ACM, vol. 58, n. 4, pp. 75-82, 2015.
 T. Moore, «The Economics of Cyber Security: Principles and Policy Options,» International Journal of Critical Infrastructure Protection (IJCNIP), vol. 3, pp. 103-117, 2010.
 M. Brzoska, R. Bossong e E. van Um, «Security Economics in the European Context: Implications of the EUSECON Project,» Economics of Security Working Paper Series, vol. 58, 2011.
 App economy to grow to $6.3 trillion in 2021, user base to nearly double to 6.3 billion https://techcrunch.com/2017/06/27/app-economy-to-grow-to-6-3-trillion-in-2021-user-base-to-nearly-double-to-6-3-billion/