Practical 2

Use Case Diagram & Threat Modelling

1. Preamble
Students practise security analysis using STRIDE and DREAD Model. Students
identify abuse use cases for the given scenario with the given use case diagram.

2. Security Analysis of Online Webstore

On-line Webstore is a web application that can be accessed by the store’s registered
customer, whereby each customer can view and purchase product. The customer
must first log-in into the system using their user id and password kept in their
account before they make any purchase.

Perform the following tasks in groups

 Identify abuse use cases by performing threat modelling using STRIDE
and DREAD.

Secure Web Applications Page 1 of 14

 ^^ DREAD was later discontinued by Microsoft in 2008 as the ratings are not very
consistent. However, DREAD can still be threat assessed with rating of 1 to 10. The sum
of all ratings for a given issue can be used to prioritize different issues.
 Identify mitigation controls.
----------THE-END----------

4. Threat modelling using Microsoft Threat Modelling Tool using

STRIDE.

4.1 Install Microsoft Threat Modelling Tool in the VM (applicable if you are installing in local
drive)

Click on the link to install Microsoft Threat Modelling Tool

https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling

4.2 Threat Model of a typical web server application.

The intent of this lab is to use STRIDE Threat Model approach by modelling Data Flow Diagram
(DFD) or Process Flow Diagram (PFP) of a web application login page. The diagram below is
what you need to model in the Threat Modelling tool. The diagram below is to do a threat model
based on a typical web server application topology below. The Threat Modelling Tool will help to
identify potential threats.

4.3 Step by step installation procedure

1) During installation, click on “I AGREE” button

Secure Web Applications Page 2 of 14

 2) Click on “Let’s start!”

3) Click on the first box located at the top left-hand side. Choose the second selection: SDL (TM
Knowledge Base). Click in the box “Create A Model” to open a new template.

Secure Web Applications Page 3 of 14

 4) Click on the right panel under “Stencils” and select “SQL Database”. Drag the icon to the
center panel of the template. If you are not able to locate the stencil, go to
menu File > View > Stencils.

Secure Web Applications Page 4 of 14

 5) Successful launch will display the template.

6) Drag SQL database icon to the center of the template

7) Do the rest for the respective icon Human User, Web Service. Notice that Human User are
found under “General External Interactor”. Alternatively, you can search for the word “Human
User” at the top uppermost search field.

Secure Web Applications Page 5 of 14

 8) After dragging all the relevant icons, the data flow line called “Generic Data Flow” line
connector will need to be drawn to link one point to another.

9) Human User will access the web service via HTTPS request to the web service. You will
need to drag “HTTPS” line connector and click on any of dots available on “human user”.

Secure Web Applications Page 6 of 14

 10) The diagram below shows a successful link. You can drag the line to ensure all connected
interfaces are not broken

11) Web service will response back with “Web Response” connector. Click on the word “Generic
Data Flow” and connect from Web service to Human User.

Secure Web Applications Page 7 of 14

 12) Change the name of “Generic Data Flow” to “Web Response.” The name change must be
applied by issuing right click on the “Generic Data Flow” in the template. Change the name
from Generic Data Flow to Web Response

13) Changing the attribute of the SQL database in the element properties.

Secure Web Applications Page 8 of 14

 14) Changing the attribute of the web service

15) Create trust boundary. You will need to create a trust boundary where the Human user will
require to have internet remote access. Use “Internet Boundary”

Secure Web Applications Page 9 of 14

 16) Create internal network boundary where internally web service interacts with SQL database.

Secure Web Applications Page 10 of 14

 17) Set the following attributes for “Database Request.”

18) Set the following attributes for HTTPS

Secure Web Applications Page 11 of 14

 19) Go to menu File > Save as > Week2lab

20) Run the analysis view. Go to View > Analysis View

Secure Web Applications Page 12 of 14

 21) The threat list will appear at the bottom panel of the template

22) Highlight all rows in the threat list and do a mouse right click. You can copy it into a
spreadsheet.

23) After reviewing each of the threats, the user can close off the item. As a threat analyst, the
user must update each record as either “not started”, “needs investigation”, “not applicable” or
“mitigated”. This will reduce the threat list

24) References taken from https://www.youtube.com/watch?v=lnvYlg4HOX4&t=1160s

Secure Web Applications Page 13 of 14

 25) How do I mitigate Threats?
Select any one of the threat lists and make changes to the system architecture

Secure Web Applications Page 14 of 14