Assignment$-$ Threat Modeling

Scenario

The two main user types of this system are warehouse employees who use a proprietary Android app on a custom$-$built smart phone connected to an enterprise Wi$-$Fi network. The device is equipped with a barcode scanner to quickly scan a product's label. It can be used to pick orders, or to update inventory levels. Each time a barcode is scanned, the app initiates a callback to a web API to pull product details. In addition, the barcode scan is used to add items to an order while picking, or $($through an override mechanism$)$ to update inventory levels of specific products.

All network traffic between the scanner and the API backend is encrypted using TLS$.$ All devices have their own security certificates, allowing for mutual authentication between the scanners and the API.

Before a warehouse employee can use the mobile app, they will need to authenticate themselves using username and password. The authentication step involves the app making an authentication assertion using SAMLv$2$ to an identity provider $($IdP$).$ The IdP verifies credentials against a backend identity management $($IDM$)$ system before returning a status code. The IdP and the IDM system are both connected to the enterprise network, which is accessible from the Wi$-$Fi network in the warehouses. The devices are not set up to use cellular service.

The second group of users involves clients. Clients access the enterprise website using a browser. All browser traffic is encrypted using TLS$.$ Certificates are provided by Let's Encrypt. The site is built as a Django app and it is hosted in the cloud. Before being able to browse the products and before being able to order, clients must first authenticate using username and password. Second$-$factor authentication using SMS text messaging is an optional layer of protection that each user can turn on themselves. The web app uses the WebAuthN protocol, which connects back to the same IdP as is used by the mobile app.

After successfully authenticating, the web app also uses the web API. For client calls, only the API server authenticates, since clients do not have their own certificates. All access control is implemented at the API level. The web API is able to query $($and update$)$ the product database, which is integrated with the organization's Enterprise Resource Planning $($ERP$)$ platform. The API also has built$-$in support for order completion, using a shopping cart model. Each client has their own discount scheme, which is determined to establish pricing and payment terms. This information is also stored in the database. The contents of the database are encrypted using AES$256$ using an appropriate mode of operation. The encryption key for the database is kept on a hardware crypto module that is external to the server.

In addition to accessing the API for its dynamic properties, the web app also pulls static content $($images$,$ etc.$)$ and presents it back to users in their browser.

Lastly, the web app must integrate with an external email service. The service is used to send order confirmation $($including tracking information$)$ to the clients. The web application does not accept any incoming email.

According to the overview and scenario above, follow Steps $1-7$ to draw a complete DFD diagram.

Step$1.$ Review the scenario to identify terminals and data flows going to and from the terminals. Label each data flow appropriately. Provide a diagram. Include the first intermediate diagram in your solution.

Step$2.$ Review the scenario again. This time, focus on identifying processes and the data flows originating from each process or arriving at each process. Add this information to your diagram. Include the second intermediate diagram in your solution.

Step$3.$ Review the scenario again. Focus on checking what you already modeled, and fill in the data stores. Identify the data flows originating from each data store or arriving at each store. NOTE: at this stage, we are still technology$-$agnostic. Do not list enabling technologies, such as databases. Represent the nature of the data contained in a store instead. Add this information to your diagram. Now provide a dataflow diagram. Include the full DFD in your solution.

Step$4.$Enrich your DFD by identifying what architectural components provide each process and each data store. Such as Element : API ;Provided by On$-$site API server

Step$5.$Using the elements above, draw in boundaries that intersect data flows. Include the updated DFD with trust boundaries in your solution.

$($Boundary crossing: Client sends credentials from browser to IdP

The borders involved in assessing threats are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege $.$ Then give their Potential Threats and Proposed Controls.

Step$6.$ Choose three places where a boundary crosses a data flow and provide a STRIDE analysis.

Step$7.$ Lastly, summary the proposed controls in a simple bullet list and include it in your solution