Threat Model Collections

Featured Threat Model 03

A threat model of a rideshare app, created by the 2024 Hackathon Finalist team using a combination of STRIDE and LINDDUN GO as the primary methodologies.

The threat model

This threat model is the deliverable of one of the finalists of the 2023 Threat Modeling Hackathon.

The team is tasked with threat modeling a rideshare app based on this use case. They used a combination of STRIDE and LINDDUN GO as their primary methodologies.

Access the threat model: https://drive.google.com/file/d/1lffq0bSYeSmyTaW9Zh5ZArA3Q_nk445D/view?usp=sharing

The creators

Andrew Morehouse, Chris Ramirez, Duncan Hopewell, Nandita Rao Narla

Summary

Which threat modeling framework(s) used and why

We utilized STRIDE and LINDDUN GO, mostly because those were the models that the team had familiarity with.

Diagramming or thinking tool(s) used and why

LucidChart, because it was web based and allowed live collaboration.

What is the scope of the threat model?

Dataflow diagram

What are the top 3 threats you identified? What are the mitigation plans?

  1. Abuse of the machine learning-driven access and pickup points. In order to mitigate, allow for user overrides of points and use that as feedback to detect poor.
  2. The collection of personal documents leads to significant personal information exposure. In order to mitigate, minimize the amount of time that personal documents are stored, and minimize the linkability of these documents or other personal information.  In particular, limit the linkability within the analytics system.
  3. Denial of service against the demand service. The demand service uses web sockets, a resource-intensive technology, to have bi-directional communications. There isn’t any indication of a protective technology there that would prevent spamming.  Mitigation is simply adding protective technology to the data flow.

How did you prioritize the threats for mitigation?

After enumerating threats, each threat was given a likelihood and impact rating to determine inherent risk. Additionally, each threat was rated for a level of effort for mitigating those threats.  We then looked for the most risk reduction with the least effort.

How did you evaluate your threat model?

After completing the threat model, we looked at our overall process, identified where we struggled, and figured out how to characterize that in the retrospective section of our threat model.

Retrospective

If you were to give this threat model to the developer team, what do you think their reaction would be? How valuable do you think they’d find it?

The hope is always that the developer team will find it enlightening and useful. In this case, there were some limitations in the documentation provided that could have been solved with more developer interaction. The real value would have been found in building those relationships with the developers during the process and bringing their understanding into the final deliverable. They will likely be surprised, but hopefully, we have worded our threat model in such a way that it isn’t seen as an attack on their system.

What did you learn from this hackathon that will make you change/upgrade/refine the way you do threat modeling today?

Several of us on the team didn’t know that LINDDUN/LINDDUN GO existed. That really gave an artful way for us to include privacy concerns during the threat modeling process.

About the creators

The creators of this threat model is a team of one of the finalists of the 2023 Threat Modeling Hackathon. Let’s hear about their hackathon story.

Who are on your team?
  • Andrew Morehouse, Security and Compliance Analyst, Decisions, @VA, US
  • Chris Ramirez, Principle Software Security Engineer, Axway, @AZ, US
  • Duncan Hopewell, Application Security Engineer, Kubota North America, @TX, US (Captain)
  • Nandita Rao Narla, ​​Head of Technical Privacy and Governance, DoorDash, @CA, US

How did you work together?

Because we are all busy professionals, in different time zones, with different familial demands, we needed to figure out a way to work asynchronously with each other.  We were able to accomplish that via discussions in Slack, tracking progress in Trello, and accumulating results in Google Docs and Sheets.

What was the biggest challenge you faced? How did you overcome it?

“I believe the biggest challenge was making communication work despite differences in time zones. We overcame it by utilizing Slack and Google Drive to communicate with one another. For me, an aha moment was after looking at a diagram that Duncan had put together and realizing where I could begin the enumeration of vulnerabilities.” - Andrew Morehouse

About Threat Model Collections

In this content series, we publish and curate a variety of threat model examples. These models can come in different forms—whether graphical, textual, or even in code. They showcase a wide range of technologies, methodologies, and techniques.

Have a threat model you'd like to share with the community? Contribute it here.

About Threat Model Collections
In this content series, we’ll publish and curate different threat model examples. The threat models can take many forms, such as graphical, textual representations or code. The models use diverse technologies, methodologies and techniques.