Story (Required)

Security strategies for preventing credential abuse and stuffing attacks (MS-SS-11)

• Set up a run-time credential abuse prevention mechanism. For example, allow set number of login attempts to be made from an IP address. Once this threshold is exceeded, take a preventative measure such as throttling the login requests from that IP or temporarily blocking it.
• Deploy a credential-stuffing prevention mechanism where it checks user logins against a database of compromised credentials (like a list of revoked tokens) and alerts legitimate users if their credentials are stolen.
• Deploy and configure IDS/IPS systems to safeguard against the following attacks:
  • Detecting DoS/DDoS attacks and raising a flag as soon as a service becomes unavailable.
  • Detecting a distributed network probe (i.e. IP and port scans).
• Configure malware and antivirus systems to scan file uploads as well as each container's memory and file system contents.

  Background (Required)

Refer to the Epic description.

Out of scope

Any previous counter measures.

Approach (Required)

- Discuss this issue in the bug triage or cabal.

Dependencies

NA

Acceptance Criteria (Mandatory)

• Bring this issue to the bug triage call and take a decision on the counter measure.
• If further discussion is needed, bring this issue to the cabal.

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met