Threat Model

Due at the scheduled final time.

Create a threat model for the SSB application. Obviously, it will be a black box threat model.

You only need to sections 7-14 as they are numbered on the topic slides. You may notice that 14 is actually numbered 15.

You are not going to be able to create a complete Threat Model, and I don't expect it. Give me a list of threats and then maybe one Threat Tree and one Abuse Case.

No one does TT or AC for every threat, it's too much labor. Instead, give a list like this:

• It might be possible for an attacker to capture a cookie and reuse it.
• An attacker might be possible for an attacker to use SQL Injection to drop a table in the database.
• Cross-site request forgery might be possible on the View Accounts page.

and so on. If you can come up with 10 of these, you are in the ballpark.

Normally, in a black-box test, you use this list to plan your testing procedures. If you're designing, you use it to plan your mitigations.