StellarPay Digital Banking Assessment

Assignment Overview

Instructions:

You are required to perform a threat modelling exercise for the web application using Threat Dragon. You may choose to:   

• Create your own web application that meets the needs described in the scenario, or
• Select an existing web application with similar functionalities to StellarPay Digital Banking’s platform.

Threat Dragon is an open-source threat modelling tool provided by OWASP. The tool supports various threat modelling frameworks, but for this project, we will be using it for STRIDE.

Using Threat Dragon, create an initial threat model for the selected web application.

1.  Identify and document the application’s assets                                                   
2. Define the scope of the threat model, including entry points, data flows, and trust boundaries relevant to StellarPay’s web application.             
3. Justify your choices and explain their relevance to the security of the web application.

Identify and classify potential threats to the web application using threat dragon.

1. Apply the STRIDE to identify threats targeting StellarPay’s web application components.  
2. Document each identified threat by providing a brief description of the affected components and their classification under the STRIDE model.         
3. Prioritise the identified threats based on their potential impact on financial transactions and likelihood of exploitation.    

 Question 3

Conduct a vulnerability analysis and propose mitigation strategies for the identified threats.

1. Use Threat Dragon to analyse the vulnerabilitiesassociated with each identified threat in the StellarPay web application.   
2. Propose specific mitigation measures for each vulnerability, covering bothtechnical and administrative controls to enhance the security of the platform. 
3. Evaluate the effectiveness of each proposed mitigation,considering its strengths, potential trade-offs, and limitations in a real-world financial system. 

Question 4

Update and refine the threat model in Threat Dragon, incorporating improvements based on your vulnerability analysis and proposed mitigation strategies. Ensure that all security enhancements and newly identified risks are reflected in the updated model.                 

Assessment Requirements – Brief Summary

The assessment required students to perform a threat modelling exercise for a web application, either by creating a new application or selecting one with functionalities similar to StellarPay Digital Banking. The assessment was structured around the STRIDE threat modelling framework using OWASP Threat Dragon and included the following key requirements:

1. Initial Threat Model Creation (6 Marks):

   • Choose or design a web application.

   • Create an initial threat model in Threat Dragon.

2. Asset Identification (8 Marks):

   • Identify and document the application’s assets.

3. Scope Definition (10 Marks):

   • Define the threat model scope: entry points, data flows, trust boundaries.

4. Justification (6 Marks):

   • Explain the relevance of assets, entry points, and trust boundaries for security.

5. Threat Identification (6 Marks) and Documentation (8 Marks):

   • Identify potential threats using STRIDE.

   • Document each threat with affected components and STRIDE classification.

6. Threat Prioritization (6 Marks):

   • Rank threats based on impact on financial transactions and likelihood of exploitation.

7. Vulnerability Analysis and Mitigation (10 + 10 + 10 Marks):

   • Analyse vulnerabilities for each threat.

   • Propose mitigation strategies (technical and administrative).

   • Evaluate the effectiveness, strengths, trade-offs, and limitations of mitigations.

8. Threat Model Update (20 Marks):

   • Refine the threat model incorporating vulnerabilities, mitigations, and security improvements.

Step-by-Step Approach by the Academic Mentor

The Academic Mentor guided the student through a structured approach to ensure all assessment requirements were met efficiently:

Step 1: Understanding the Assessment & Platform

• The mentor first explained the purpose of threat modelling, focusing on STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

• Introduced the student to Threat Dragon and demonstrated its interface and functionalities.

• The student was advised to either create a web application or select an existing one similar to StellarPay for realism.

Step 2: Initial Threat Model & Asset Identification

• Using Threat Dragon, the student created a diagram of the web application architecture.

• The mentor guided the student to identify critical assets, such as user credentials, transaction data, and account balances.

• Each asset was documented with its importance and role in the system.

Step 3: Defining Scope and Trust Boundaries

• The mentor explained entry points, data flows, and trust boundaries within the web application.

• The student mapped out how data moves through the application, marking areas where users, external services, or databases interact.

• Guidance was provided on justifying why these areas were critical to security.

Step 4: Threat Identification & STRIDE Classification

• The student applied the STRIDE model to each application component.

• For each potential threat, the student documented:

  • The affected component

  • Threat type (e.g., Spoofing, Tampering)

  • Potential impact on the system

• The mentor reviewed the threats, ensuring all significant risks were covered and properly categorized.

Step 5: Threat Prioritization

• The mentor taught the student how to rank threats by assessing their potential impact on financial transactions and likelihood of exploitation.

• A risk matrix approach was used to assign high, medium, or low priority to each threat.

Step 6: Vulnerability Analysis and Mitigation

• For each threat, the student performed a vulnerability analysis using Threat Dragon.

• The mentor guided the student to propose mitigation strategies, including:

  • Technical controls (e.g., multi-factor authentication, encryption)

  • Administrative controls (e.g., staff training, access policies)

• The mentor helped the student evaluate each mitigation, discussing its effectiveness, trade-offs, and implementation limitations in a real-world banking system.

Step 7: Refining the Threat Model

• The mentor instructed the student to update the Threat Dragon model to incorporate mitigations and newly identified risks.

• The student ensured that the final threat model reflected:

  • All assets, entry points, and trust boundaries

  • Classified threats with prioritization

  • Proposed mitigations and residual risks

Outcome Achieved

By following this structured approach, the student successfully:

• Created a comprehensive initial threat model for the web application.

• Identified all critical assets and potential threats using STRIDE.

• Defined the scope and trust boundaries with justifications.

• Conducted a vulnerability analysis and proposed effective mitigation strategies.

• Updated the threat model to reflect all security improvements.

Learning Objectives Covered

1. Application Security Awareness: Understanding the security posture of web applications.

2. Threat Modelling Skills: Applying STRIDE and using Threat Dragon for practical threat assessment.

3. Risk Assessment & Prioritization: Evaluating threats based on impact and likelihood.

4. Mitigation Strategy Development: Proposing technical and administrative solutions.

5. Analytical Thinking: Linking theoretical knowledge to practical security challenges.

6. Documentation & Communication: Clearly documenting threats, vulnerabilities, and mitigation measures in a professional format.

Get the Help You Need to Ace Your Assignments

Struggling with your assignment? You can download our sample solution to gain insights, understand the structure, and see how a high-quality submission looks. Remember: The sample is provided for reference purposes only. Submitting it as your own work can lead to plagiarism issues.

Looking for a completely safe, plagiarism-free solution? Our team of professional academic writers can create a custom-written assignment tailored to your requirements. Enjoy the benefits of ordering a fresh solution:

• Original content crafted specifically for your brief

• 100% plagiarism-free and academically formatted

• Delivered on time to meet your submission deadlines

• Expertly researched to ensure high-quality, reliable answers

Protect your grades, learn effectively, and save time with our professional services.