Table 10. Identified insecure control actions.
Identified insecure control actions of the example action “smartphone registers at the server”.
| Control action | GW: not providing causes vulnerability | GW: providing causes vulnerability | GW: timing issues cause vulnerability1 |
|---|---|---|---|
| Phone_CtrlAction1 | Phone_CtrlAction1_ Insec1 | Phone_CtrlAction1_ Insec2 | / |
| Label Description: | |||
| Phone_CtrlAction1: Smartphone registers at the server (i.e., send account ID, password and smartphone’s public key to the server) | |||
| Phone_CtrlAction1_Insec1: Smartphone does not register at the server correctly [V-2] | |||
| Phone_CtrlAction1_Insec2: Register is done successfully, but sensitive information (account ID and password) is leaked [V-3] | |||
Note:
1
The guide word “timing issues cause vulnerability” represents “too early, too late, out of order” and “stopped too soon, applied too long” in the STPA-Sec.