Secure Development Lab1: Daniil Sinelnik

:::success # Threat modeling lab ### Name: Daniil Sinelnik ::: ## Task 1: Decompose the application To decompose the application i have decided to use windows application. ### Trust Levels Firstly i would like to introduce a Trust Levels table to fully understand what's going on: <center> ![image](https://hackmd.io/_uploads/SJULDSS5a.png) Description of each level ![image](https://hackmd.io/_uploads/B1cuwHBc6.png) Trust levels table </center> ### Entry Points Afther i have defined the trust level i have made an Entry points that contains the set of features with it's description and `Trust Level ID's`. <center> ![image](https://hackmd.io/_uploads/BkIodHrq6.png) </center> According to that table we can see that for user with invalid credentials are not allowed to do anything except of line 1,3 and 4. ### Data Flow Diagram <center> ![image](https://hackmd.io/_uploads/ryIyq4B5T.png) Data Flow Diagram </center> #### Clarification - To leave comment user should be authorized to complete this action. Annonymous user or user with invalid Login credentials are not allowed. - To post a video, user should be authorized to complete this action. Annonymous user or user with invalid Login credentials are not allowed. - Annonymous user are allowed ONLY to watch the page with listed videos and go to the authentication page. Nothing else are prohibbited and will be considered as unauthorized access. #### Use Case 1: Assuming that we have a human user on the left hand side and he want's to post a video. He enters the browser and after that he enters login and password to the Auth page. Browser sends a request to an API for LOG IN and reply's with `success` response. After that user decides to upload video, there goes 2 different requests. 1st request goes in Video Upload Servers with containing videofile, it goes to the QUEUE process and starting to uploading a video, meanwhile inserting it into cloud storage like Amazon S3 server. After the video stores, it proceeds with a callback to the origin server that video saved in Amazon S3 server. In the second request goes to SQL database where we have to create an entry with metadata of the video, like the name, of the video, ID, etc. And stores the path in the same Document that shows the path to the Video Object in Amazon S3 server that helps to find faster the video directly by the address. #### Use Case 2: Assuming the user want's to enter the web site to watch the video. He looks through the page of App Servers and made his decision, clicks on the video, then goes the SQL request for a particular video, it builds the query, sends it to the database and database returns the all respective data and metadata of the video, comments, etc. And the video itself from S3 storage goes direcly to the App Servers(i forgot to put the connection arrow between App Servers and Video Object Storage). #### Use Case 3: Assuming user want's to leave the comment and the entire system asks him for permission, is he authorized to do so or not. If yes, he writes the comment in the desired field and clicks the button, after that goes SQL request to insert the comment under desired video in database. If the user is not authorized, the system asks to go through the process of Authentication. ## Task 2: Determine threats <center> ![image](https://hackmd.io/_uploads/HyxwtHH56.png) Stride table </center>