Guest User

Threat Model

a guest
Oct 29th, 2025
81
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.18 KB | Help | 0 0
  1. {
  2. "version": "2.2.0",
  3. "summary": {
  4. "title": "My Premium Dealership",
  5. "owner": "Jr. Security Engineer",
  6. "description": "\"My Premium Dealership\" is a B2C application with a micro-service architecture that allows users to request mechanic services for their vehicle. ",
  7. "id": 0
  8. },
  9. "detail": {
  10. "contributors": [
  11. {
  12. "name": "Iman (Infra)"
  13. },
  14. {
  15. "name": "Devon (Development)"
  16. },
  17. {
  18. "name": "Suzy (Security)"
  19. },
  20. {
  21. "name": "Greta (GRC)"
  22. },
  23. {
  24. "name": "Sal (Stakeholder)"
  25. }
  26. ],
  27. "diagrams": [
  28. {
  29. "id": 0,
  30. "title": "mypremiumdealership.com",
  31. "diagramType": "STRIDE",
  32. "placeholder": "New STRIDE diagram description",
  33. "thumbnail": "./public/content/images/thumbnail.stride.jpg",
  34. "version": "2.2.0",
  35. "cells": [
  36. {
  37. "position": {
  38. "x": -10.000000000000156,
  39. "y": 110.00000000000014
  40. },
  41. "size": {
  42. "width": 180,
  43. "height": 130
  44. },
  45. "shape": "trust-boundary-box",
  46. "attrs": {
  47. "headerText": {
  48. "text": "Public Network"
  49. }
  50. },
  51. "zIndex": -1,
  52. "id": "08345bac-7f6f-425e-8a96-a203b6722bc8",
  53. "data": {
  54. "type": "tm.BoundaryBox",
  55. "name": "Public Network",
  56. "description": "",
  57. "isTrustBoundary": true,
  58. "hasOpenThreats": false
  59. }
  60. },
  61. {
  62. "position": {
  63. "x": 234.9999999999999,
  64. "y": 0
  65. },
  66. "size": {
  67. "width": 360,
  68. "height": 360
  69. },
  70. "shape": "trust-boundary-box",
  71. "attrs": {
  72. "headerText": {
  73. "text": "Data Center (Protected)"
  74. }
  75. },
  76. "zIndex": -1,
  77. "id": "9708d85d-4475-4d31-98ba-7f890f487940",
  78. "data": {
  79. "type": "tm.BoundaryBox",
  80. "name": "Data Center (Protected)",
  81. "description": "",
  82. "isTrustBoundary": true,
  83. "hasOpenThreats": false
  84. }
  85. },
  86. {
  87. "position": {
  88. "x": 670,
  89. "y": 130.0000000000001
  90. },
  91. "size": {
  92. "width": 230,
  93. "height": 160
  94. },
  95. "shape": "trust-boundary-box",
  96. "attrs": {
  97. "headerText": {
  98. "text": "Data Center (Restricted)"
  99. }
  100. },
  101. "zIndex": -1,
  102. "id": "a69562de-853a-4eca-8008-d0a2edf3ac6e",
  103. "data": {
  104. "type": "tm.BoundaryBox",
  105. "name": "Data Center (Restricted)",
  106. "description": "",
  107. "isTrustBoundary": true,
  108. "hasOpenThreats": false
  109. }
  110. },
  111. {
  112. "position": {
  113. "x": 20,
  114. "y": 150
  115. },
  116. "size": {
  117. "width": 112.5,
  118. "height": 60
  119. },
  120. "attrs": {
  121. "text": {
  122. "text": "User"
  123. },
  124. "body": {
  125. "stroke": "red",
  126. "strokeWidth": 2.5,
  127. "strokeDasharray": null
  128. }
  129. },
  130. "visible": true,
  131. "shape": "actor",
  132. "zIndex": 2,
  133. "id": "97f211c4-cd4b-411e-8479-e60cf7ff21c6",
  134. "data": {
  135. "type": "tm.Actor",
  136. "name": "User",
  137. "description": "",
  138. "outOfScope": false,
  139. "reasonOutOfScope": "",
  140. "hasOpenThreats": true,
  141. "providesAuthentication": true,
  142. "threats": [
  143. {
  144. "id": "e2cb57d6-ab78-4dc1-8e0c-2c91e982609a",
  145. "title": "Account Takeover",
  146. "status": "Open",
  147. "severity": "Medium",
  148. "type": "Spoofing",
  149. "description": "MFA not yet implemented.",
  150. "mitigation": "Provide remediation for this threat or a reason if status is N/A",
  151. "modelType": "STRIDE",
  152. "new": false,
  153. "number": 13,
  154. "score": ""
  155. }
  156. ]
  157. }
  158. },
  159. {
  160. "shape": "flow",
  161. "attrs": {
  162. "line": {
  163. "stroke": "#333333",
  164. "targetMarker": {
  165. "name": "block"
  166. },
  167. "sourceMarker": {
  168. "name": "block"
  169. },
  170. "strokeDasharray": null
  171. }
  172. },
  173. "width": 200,
  174. "height": 100,
  175. "zIndex": 10,
  176. "connector": "smooth",
  177. "data": {
  178. "type": "tm.Flow",
  179. "name": "Data Flow",
  180. "description": "",
  181. "outOfScope": false,
  182. "reasonOutOfScope": "",
  183. "hasOpenThreats": false,
  184. "isBidirectional": true,
  185. "isEncrypted": false,
  186. "isPublicNetwork": false,
  187. "protocol": "",
  188. "threats": []
  189. },
  190. "id": "efca1f7d-585b-464c-a248-115e47faa17e",
  191. "source": {
  192. "cell": "c12ebdc9-5206-4a36-bed1-393ef6b33c54"
  193. },
  194. "target": {
  195. "cell": "f3b93565-510d-4b23-9726-2e0e233e7e2c"
  196. }
  197. },
  198. {
  199. "shape": "flow",
  200. "attrs": {
  201. "line": {
  202. "stroke": "#333333",
  203. "targetMarker": {
  204. "name": "block"
  205. },
  206. "sourceMarker": {
  207. "name": "block"
  208. },
  209. "strokeDasharray": null
  210. }
  211. },
  212. "width": 200,
  213. "height": 100,
  214. "zIndex": 10,
  215. "connector": "smooth",
  216. "data": {
  217. "type": "tm.Flow",
  218. "name": "Data Flow",
  219. "description": "",
  220. "outOfScope": false,
  221. "reasonOutOfScope": "",
  222. "hasOpenThreats": false,
  223. "isBidirectional": true,
  224. "isEncrypted": false,
  225. "isPublicNetwork": false,
  226. "protocol": "",
  227. "threats": []
  228. },
  229. "id": "ac9a30dc-b439-4149-adf3-b1ebf9bcce7e",
  230. "source": {
  231. "cell": "966a7aaa-80b9-4a8b-9eb6-197286fffa1c"
  232. },
  233. "target": {
  234. "cell": "f3b93565-510d-4b23-9726-2e0e233e7e2c"
  235. }
  236. },
  237. {
  238. "shape": "flow",
  239. "attrs": {
  240. "line": {
  241. "stroke": "#333333",
  242. "targetMarker": {
  243. "name": "block"
  244. },
  245. "sourceMarker": {
  246. "name": "block"
  247. },
  248. "strokeDasharray": null
  249. }
  250. },
  251. "width": 200,
  252. "height": 100,
  253. "zIndex": 10,
  254. "connector": "smooth",
  255. "data": {
  256. "type": "tm.Flow",
  257. "name": "Data Flow",
  258. "description": "",
  259. "outOfScope": false,
  260. "reasonOutOfScope": "",
  261. "hasOpenThreats": false,
  262. "isBidirectional": true,
  263. "isEncrypted": false,
  264. "isPublicNetwork": false,
  265. "protocol": "",
  266. "threats": []
  267. },
  268. "id": "f466a83e-5153-4c30-83da-d972fae05a78",
  269. "source": {
  270. "cell": "9eb5724a-c842-41c7-b1f2-1b695d8ac41c"
  271. },
  272. "target": {
  273. "cell": "966a7aaa-80b9-4a8b-9eb6-197286fffa1c"
  274. }
  275. },
  276. {
  277. "shape": "flow",
  278. "attrs": {
  279. "line": {
  280. "stroke": "#333333",
  281. "targetMarker": {
  282. "name": "block"
  283. },
  284. "sourceMarker": {
  285. "name": ""
  286. },
  287. "strokeDasharray": null
  288. }
  289. },
  290. "width": 200,
  291. "height": 100,
  292. "zIndex": 10,
  293. "connector": "smooth",
  294. "data": {
  295. "type": "tm.Flow",
  296. "name": "Data Flow",
  297. "description": "",
  298. "outOfScope": false,
  299. "reasonOutOfScope": "",
  300. "hasOpenThreats": false,
  301. "isBidirectional": false,
  302. "isEncrypted": false,
  303. "isPublicNetwork": false,
  304. "protocol": "",
  305. "threats": []
  306. },
  307. "id": "8cf43907-0b42-4c9d-882e-d6c4c7630b1b",
  308. "source": {
  309. "cell": "c12ebdc9-5206-4a36-bed1-393ef6b33c54"
  310. },
  311. "target": {
  312. "x": 481.25,
  313. "y": -49.999999999999886
  314. }
  315. },
  316. {
  317. "shape": "flow",
  318. "attrs": {
  319. "line": {
  320. "stroke": "#333333",
  321. "targetMarker": {
  322. "name": "block"
  323. },
  324. "sourceMarker": {
  325. "name": ""
  326. },
  327. "strokeDasharray": null
  328. }
  329. },
  330. "width": 200,
  331. "height": 100,
  332. "zIndex": 10,
  333. "connector": "smooth",
  334. "data": {
  335. "type": "tm.Flow",
  336. "name": "Data Flow",
  337. "description": "",
  338. "outOfScope": false,
  339. "reasonOutOfScope": "",
  340. "hasOpenThreats": false,
  341. "isBidirectional": false,
  342. "isEncrypted": false,
  343. "isPublicNetwork": false,
  344. "protocol": "",
  345. "threats": []
  346. },
  347. "id": "09282406-4652-48e0-a164-72de003bd559",
  348. "source": {
  349. "cell": "c12ebdc9-5206-4a36-bed1-393ef6b33c54"
  350. },
  351. "target": {
  352. "x": 481.25,
  353. "y": -49.999999999999886
  354. }
  355. },
  356. {
  357. "shape": "flow",
  358. "attrs": {
  359. "line": {
  360. "stroke": "#333333",
  361. "targetMarker": {
  362. "name": "block"
  363. },
  364. "sourceMarker": {
  365. "name": "block"
  366. },
  367. "strokeDasharray": null
  368. }
  369. },
  370. "width": 200,
  371. "height": 100,
  372. "zIndex": 10,
  373. "connector": "smooth",
  374. "data": {
  375. "type": "tm.Flow",
  376. "name": "Data Flow",
  377. "description": "",
  378. "outOfScope": false,
  379. "reasonOutOfScope": "",
  380. "hasOpenThreats": false,
  381. "isBidirectional": true,
  382. "isEncrypted": false,
  383. "isPublicNetwork": false,
  384. "protocol": "",
  385. "threats": []
  386. },
  387. "id": "623b7cbd-20b1-4149-be25-42cf17466c04",
  388. "source": {
  389. "cell": "9eb5724a-c842-41c7-b1f2-1b695d8ac41c"
  390. },
  391. "target": {
  392. "cell": "c12ebdc9-5206-4a36-bed1-393ef6b33c54"
  393. },
  394. "vertices": []
  395. },
  396. {
  397. "shape": "flow",
  398. "attrs": {
  399. "line": {
  400. "stroke": "red",
  401. "strokeWidth": 2.5,
  402. "targetMarker": {
  403. "name": "block"
  404. },
  405. "sourceMarker": {
  406. "name": "block"
  407. },
  408. "strokeDasharray": null
  409. }
  410. },
  411. "width": 200,
  412. "height": 100,
  413. "zIndex": 10,
  414. "connector": "smooth",
  415. "data": {
  416. "type": "tm.Flow",
  417. "name": "Web Traffic",
  418. "description": "",
  419. "outOfScope": false,
  420. "reasonOutOfScope": "",
  421. "hasOpenThreats": true,
  422. "isBidirectional": true,
  423. "isEncrypted": true,
  424. "isPublicNetwork": true,
  425. "protocol": "HTTPS",
  426. "threats": [
  427. {
  428. "id": "6cce44c1-09a5-436a-8c6e-76f0b8613e53",
  429. "title": "Credential Sniffing",
  430. "status": "Open",
  431. "severity": "Medium",
  432. "type": "Information disclosure",
  433. "description": "Unencrypted traffic exposes user credentials",
  434. "mitigation": "Implement HTTPS to encrypt data-in-transit",
  435. "modelType": "STRIDE",
  436. "new": false,
  437. "number": 16,
  438. "score": ""
  439. }
  440. ]
  441. },
  442. "id": "26203791-f7f3-4db5-99b9-bfada293e7f3",
  443. "labels": [
  444. "Web Traffic"
  445. ],
  446. "source": {
  447. "cell": "97f211c4-cd4b-411e-8479-e60cf7ff21c6"
  448. },
  449. "target": {
  450. "cell": "9eb5724a-c842-41c7-b1f2-1b695d8ac41c"
  451. }
  452. },
  453. {
  454. "position": {
  455. "x": 234.9999999999999,
  456. "y": 110.00000000000014
  457. },
  458. "size": {
  459. "width": 140,
  460. "height": 130
  461. },
  462. "attrs": {
  463. "text": {
  464. "text": "Web Client"
  465. },
  466. "body": {
  467. "stroke": "#333333",
  468. "strokeWidth": 1.5,
  469. "strokeDasharray": null
  470. }
  471. },
  472. "visible": true,
  473. "shape": "process",
  474. "zIndex": 11,
  475. "id": "9eb5724a-c842-41c7-b1f2-1b695d8ac41c",
  476. "data": {
  477. "type": "tm.Process",
  478. "name": "Web Client",
  479. "description": "",
  480. "outOfScope": false,
  481. "reasonOutOfScope": "",
  482. "hasOpenThreats": false,
  483. "handlesCardPayment": false,
  484. "handlesGoodsOrServices": false,
  485. "isWebApplication": false,
  486. "privilegeLevel": "",
  487. "threats": []
  488. }
  489. },
  490. {
  491. "position": {
  492. "x": 734.9999999999998,
  493. "y": 190.0000000000001
  494. },
  495. "size": {
  496. "width": 120,
  497. "height": 60
  498. },
  499. "attrs": {
  500. "text": {
  501. "text": "PostgreSQL"
  502. },
  503. "topLine": {
  504. "strokeWidth": 1.5,
  505. "strokeDasharray": null
  506. },
  507. "bottomLine": {
  508. "strokeWidth": 1.5,
  509. "strokeDasharray": null
  510. }
  511. },
  512. "visible": true,
  513. "shape": "store",
  514. "zIndex": 12,
  515. "id": "f3b93565-510d-4b23-9726-2e0e233e7e2c",
  516. "data": {
  517. "type": "tm.Store",
  518. "name": "PostgreSQL",
  519. "description": "",
  520. "outOfScope": false,
  521. "reasonOutOfScope": "",
  522. "hasOpenThreats": false,
  523. "isALog": false,
  524. "isEncrypted": false,
  525. "isSigned": false,
  526. "storesCredentials": false,
  527. "storesInventory": false,
  528. "threats": []
  529. }
  530. },
  531. {
  532. "position": {
  533. "x": 431.25,
  534. "y": 30.000000000000114
  535. },
  536. "size": {
  537. "width": 150,
  538. "height": 130
  539. },
  540. "attrs": {
  541. "text": {
  542. "text": "Identity API"
  543. },
  544. "body": {
  545. "stroke": "#333333",
  546. "strokeWidth": 1.5,
  547. "strokeDasharray": null
  548. }
  549. },
  550. "visible": true,
  551. "shape": "process",
  552. "zIndex": 21,
  553. "id": "c12ebdc9-5206-4a36-bed1-393ef6b33c54",
  554. "data": {
  555. "type": "tm.Process",
  556. "name": "Identity API",
  557. "description": "Handles user signup and login. Written in Java.",
  558. "outOfScope": false,
  559. "reasonOutOfScope": "",
  560. "hasOpenThreats": false,
  561. "handlesCardPayment": false,
  562. "handlesGoodsOrServices": false,
  563. "isWebApplication": false,
  564. "privilegeLevel": "",
  565. "threats": []
  566. }
  567. },
  568. {
  569. "position": {
  570. "x": 431.25,
  571. "y": 210
  572. },
  573. "size": {
  574. "width": 150,
  575. "height": 130
  576. },
  577. "attrs": {
  578. "text": {
  579. "text": "Workshop API"
  580. },
  581. "body": {
  582. "stroke": "#333333",
  583. "strokeWidth": 1.5,
  584. "strokeDasharray": null
  585. }
  586. },
  587. "visible": true,
  588. "shape": "process",
  589. "zIndex": 22,
  590. "id": "966a7aaa-80b9-4a8b-9eb6-197286fffa1c",
  591. "data": {
  592. "type": "tm.Process",
  593. "name": "Workshop API",
  594. "description": "Handles mechanic service requests using VIN and generates report using provided URL. Written in Python.",
  595. "outOfScope": false,
  596. "reasonOutOfScope": "",
  597. "hasOpenThreats": false,
  598. "handlesCardPayment": false,
  599. "handlesGoodsOrServices": false,
  600. "isWebApplication": false,
  601. "privilegeLevel": "",
  602. "threats": [
  603. {
  604. "id": "173052b2-5abf-4da5-931d-edaf4ee93972",
  605. "title": "Server-Side Request Forgery",
  606. "status": "Mitigated",
  607. "severity": "Medium",
  608. "type": "Tampering",
  609. "description": "The attacker can indirectly access other systems through request manipulation.",
  610. "mitigation": "Input validation. Disable URL redirection in the web client. Restrict network access via firewall rules.",
  611. "modelType": "STRIDE",
  612. "new": false,
  613. "number": 15,
  614. "score": ""
  615. }
  616. ]
  617. }
  618. }
  619. ],
  620. "description": "Threat Model for \"My Premium Dealership,\" a microservice architecture B2C application."
  621. }
  622. ],
  623. "diagramTop": 4,
  624. "reviewer": "Sr. Security Engineer",
  625. "threatTop": 18
  626. }
  627. }
Advertisement
Add Comment
Please, Sign In to add comment