Someone wrote to me to ask:
A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow?
“An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops”
I don’t have a great answer, but I’m thinking someone else might have taken it on.
For Denial of Service attacks in the Microsoft SDL bug bar, we roughly to break things down to a matrix of (server, client, persistent/temporary). That doesn’t seem right for web apps. Is there a better approach, and perhaps even one that can translate into some good threat cards?