D2.4 Vulnerability Catalogue

Contributing Partners

AIT, ATOS, FOKUS, GUF, TUG, OTE, LISPA

Executive Summary

On a high level, the central goal of the CREDENTIAL project is to develop a privacy-preserving data sharing platform (wallet) with integrated identity provider (IdP), which can be used to share authenticated data without the wallet learning any of the user's personal information. The functionality and added value of these services will be showcased by concrete pilots from the domains of eGovernment, eHealth, and eBusiness.

A central task in the development of security- and privacy-sensitive software applications is a continuous and comprehensive threat analysis and evaluation. This in turn requires a precise analysis of potential vulnerabilities, as only discovering and understanding potential weaknesses allows one to assess their potential impact and to take counter-measures.

In this document we therefore perform such a vulnerability analysis for IAM and data sharing applications. The catalogue at hand is complementary to existing generic cloud vulnerability catalogues as published, e.g., by ENISA, OWASP, or SECCRIT. Namely, it puts its main focus on identity and access management systems as well as data sharing platforms, and only contains generic vulnerabilities if they are of outstanding relevance for the considered applications. Special attention will be paid to all aspects concerning the users' privacy.

Following CREDENTIAL 's methodology, all identied vulnerabilities are mapped to the threat categories of STRIDE and LINDDUN, which will then be evaluated using STRIDE in subsequent deliverables.

Full Version

The full version of this deliverable can be downloaded here.