Better Security Outcomes with Abuser Stories for Scrum Teams

“What on earth is an Abuser Story?”

“What’s the point of an Abuser Story?”

Security in the SDLC

“Great, How can I use Abuser Stories in my Agile Team? Spare me no details….”

  1. As a user, I can to login to the application with my official email address and password, so I can upload details of my business expenditure for reimbursement.
  2. As a user, I can setup the instruments that I use for official expenses, like my credit card and setup accounts that I can get reimbursements into, like a bank accounts, so that I can submit details of business expenditure accurately and receive reimbursements.
  3. As a user, I can track details of approval and view approved and “waiting to be approved” expenditure, so I can know the bills are approved and those that are pending for approval.
  1. As a user, I can only upload expenditure that is within a pre-defined budget, so I cannot overspend on the company’s dime.
  2. As a user I can receive reimbursements only for the bills my manager approves, so I can only be reimbursed for approved expenses

“Alright, now I have Abuser Stories…What next??”

  • Possible Attack Scenarios
  • Security Feature Design
  • Development Checks
  • Testing Strategies
  • Deployment Checks
  • SQL Injection to gain access to steal manager’s password and gain access to his/her account
  • Sniff Session Tokens over the network to gain access to manager’s session token and subsequently gain access to his/her account
  • Bruteforce weak password used by Manager to gain access to his/her account
  • Use Social Engineering to trigger potential CSRF attack against manager to approve the expense
  • Embed malware laden file in file upload and compromise manager’s browser/computer and takeover manager’s account
  • Log Invalid Access Attempts and setup security alerts to detect bruteforce attacks in progress.
  • Allow only specific types of files for upload (like image files, etc). Scan files for malware before accepting.
  • Enforce Password Complexity Requirements, with High-Entropy passwords being enforced on all users in the system
  • Use Parameterized Queries in every Database query
  • Use and validate Anti-CSRF tokens for each request to the application.
  • Sanitize HTML Output to protect against XSS Attacks
  • Implement HTTPS with TLS 1.1 and 1.2 support and strong cipher suites. Implement HSTS

In Conclusion…



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhay Bhargav

Abhay Bhargav

CTO of we45 (An AppSec Company), DevSecOps Greasemonkey, Passionate Security Technologist and Creator