question archive In the previous lab, you created a Kanban Board
In the previous lab, you created a Kanban Board
Subject:Computer SciencePrice: Bought3
In the previous lab, you created a Kanban Board. One of the tasks you created in Module-2 should be to perform threat modeling for the blog website you have been developing for your customer. You decided to perform threat modeling after the vulnerability management team discovered a critical vulnerability on the web service.
Resources
Please read the following articles:
https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
A short case:
https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started
A detailed case, learn more about the approach to threat modeling in this article:
You will use Microsoft Threat Modeling Tool in this lab. Familiarize yourself with the tool by reviewing this page:
https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-feature-overview
Lab Environment
Access to Microsoft Threat Modeling Tool:
1) If you want to run it on your Windows machine, you can download it from https://aka.ms/threatmodelingtool and run the tool on your personal computer.
2) Alternatively, you can reserve the Windows 10 instance in the Netlab environment (https://netlab.franklin.edu). Please refer to the Netlab Reservation Instructions for access details.
Instructions & Questions
1. Double click the Microsoft Threat Modeling 2016 icon on the desktop.
2. Click the Browse button and select the Azure Cloud Services file.
3. Click the Create A Model.
4. Please refer to the "Microsoft Threat Modeling Tool 2016 Guidance" section of this document to get guidance on using the threat modeler tool.
Part 1: Create a Data Flow Diagram
There is no single solution for this lab. After carefully reading the description given in the introduction section of this lab instruction, draw a DFD that shows Data stores, Processes, Interactors, Data flows, and Trust boundaries. Take the screenshot of the DFD.
Part 2: Review Threats
1. Switch to analysis view
2. Review all of the threats that are automatically devised by the tool
3. Add two more threats.
Take a screenshot of the new threats.
Part 3: Devise Mitigations and Change Threat Properties
1. For the threats you added, change the status to Mitigated and fill out the "Possible Mitigations" section.
2. Choose one threat, change the status to "Not Applicable". Fill out the justification section.
3. Choose another threat, change the status to "Need Investigation". Adjust the severity level and write a justification for it.
Take the screenshots that show the result of your actions.
Part 4: Reporting
1. Click the Reports menu and "Create Full Report".
2. Review the downloaded report.
Part 5: Project Management
1. Log into your Azure Board and create a task for the threat that needs investigation.
2. Take the screenshot of the Azure board showing the tasks.
Submit the Full Report and screenshots.
Microsoft Threat Modeling Tool 2016 Guidance
The below figure shows how to switch to analysis view.
In the analysis view, you see some generic threats, as shown below.
Right-click on the objects you created (Sample objects: “Request”, “Response,” and Trust Boundaries). You will see the "Add User-defined Threat" option.
Once you click on "Add User-defined Threat", the threat list will show the new threat (1).
Fill out the details of the new threat (2).
