feat(lab2): Threagile threat model + secure variant + auth flow

[aylixxx]

Goal

Complete Lab 2 by running a baseline OWASP Threagile threat model, analyzing identified risks, creating a secure variant of the architecture, and comparing risk levels before and after hardening.

Changes

• Added:

  • labs/lab2/threagile-model.yaml
  • labs/lab2/threagile-model-secure.yaml
  • submissions/lab2.md

• Modified:

  • Threat model configuration for the secure variant
  • Security controls on communication links and storage

• Removed:

  • Direct HTTP access from Browser to Application
  • Optional WebHook integration from the secure variant

Testing

Commands executed:

docker run --rm \
-v "$(pwd)/labs/lab2":/app/work \
threagile/threagile:0.9.1 \
-model /app/work/threagile-model.yaml \
-output /app/work/output

jq 'length' labs/lab2/output/risks.json

jq '[.[] | .severity] | group_by(.) | map({severity: .[0], count: length})' \
labs/lab2/output/risks.json

docker run --rm \
-v "$(pwd)/labs/lab2":/app/work \
threagile/threagile:0.9.1 \
-model /app/work/threagile-model-secure.yaml \
-output /app/work/output-secure

jq 'length' labs/lab2/output-secure/risks.json

jq '[.[] | .severity] | group_by(.) | map({severity: .[0], count: length})' \
labs/lab2/output-secure/risks.json

Observed results:

Baseline:
Total risks: 23
Elevated: 4
Medium: 14
Low: 5

Secure Variant:
Total risks: 15
Elevated: 1
Medium: 10
Low: 4

Risk reduction: 8 risks removed

Artifacts & Screenshots

• submissions/lab2.md
• labs/lab2/output/data-flow-diagram.png
• labs/lab2/output/data-asset-diagram.png
• labs/lab2/output-secure/risks.json

Checklist

• Title is clear (feat(lab2): threat modeling with threagile)
• No secrets/large temp files committed
• Submission file at submissions/lab2.md exists
• Task 1: Baseline Threat Model
• Task 2: Secure Variant & Diff
• Bonus Task