Security Assessment Demo

STRIDE threat modeling and vulnerability triage walkthrough

Sample Application: E-Commerce Platform

STRIDE Threat Analysis

Category Threat Likelihood Impact Risk Score Status Action
Spoofing Attacker impersonates user Medium High 7/10 ⚠️ Needs MFA
Tampering Cart price manipulation High High 9/10 🔴 Critical
Repudiation User denies order Low Medium 4/10 ✅ Logging adequate
Info Disclosure Payment data leak Medium Critical 9/10 🔴 Critical
DoS API rate limit abuse High Medium 6/10 ⚠️ Needs rate limiting
Elevation Admin access bypass Low Critical 7/10 ⚠️ Needs RBAC audit

Threat Details

Vulnerability Triage Simulation

Step 1: Verify Findings

Input: Raw scanner output (10 findings)

SQL Injection in /api/products ✅ REAL
XSS in /admin ❌ FALSE POSITIVE
CSRF missing on /api/cart ✅ REAL

Step 2: Deduplicate

Merged 3 duplicate SQL injection reports → 1 unique finding

Step 3: Rank by Exploitability

1. SQL Injection 9/10 - Public endpoint, easy to exploit
2. CSRF on cart 6/10 - Requires user interaction
3. Weak password policy 4/10 - Low immediate risk

Step 4: Route to Owner

SQL Injection → Backend team (URGENT)
CSRF → Frontend team (HIGH)
Password policy → Security team (MEDIUM)

Risk Assessment Matrix

Impact ↓ / Likelihood →
Low
Medium
High
High
M
H
C
Medium
L
M
H
Low
L
L
M