Skip to content

docs(lab2): Threagile threat modeling and risk analysis#381

Open
examplefirstaccount wants to merge 2 commits intoinno-devops-labs:mainfrom
examplefirstaccount:feature/lab2
Open

docs(lab2): Threagile threat modeling and risk analysis#381
examplefirstaccount wants to merge 2 commits intoinno-devops-labs:mainfrom
examplefirstaccount:feature/lab2

Conversation

@examplefirstaccount
Copy link

@examplefirstaccount examplefirstaccount commented Feb 16, 2026

Goal

Complete Lab 2: Threat modeling OWASP Juice Shop v19.0.0 using Threagile to analyze baseline security posture and demonstrate risk reduction through encryption controls.

Changes

  • Edited baseline Threagile YAML model (threagile-model.yaml) for Juice Shop deployment
  • Generated baseline threat model with 23 identified risks across 15 categories
  • Analyzed top 5 risks using composite scoring methodology (Severity×100 + Likelihood×10 + Impact)
  • Created secure variant model (threagile-model.secure.yaml) with HTTPS and database encryption
  • Generated secure variant threat model showing 13.0% risk reduction (23→20 risks)
  • Performed risk category delta analysis comparing baseline vs secure architecture
  • Documented complete threat modeling analysis in labs/submission2.md
  • Added Python script (analyze_risks.py) for automated risk ranking and table generation

Testing

  • Verified Threagile Docker container execution for both baseline and secure models
  • Validated generated outputs: report.pdf, risks.json, stats.json, diagrams (PNG)
  • Confirmed risk.json parsing and composite score calculations using Python script
  • Executed jq delta comparison command to generate risk category comparison table
  • Reviewed PDF reports and diagrams for completeness and accuracy
  • Validated that HTTPS protocol changes eliminated unencrypted-communication risks (Δ=-2)
  • Confirmed database encryption reduced unencrypted-asset risks (Δ=-1)

Artifacts & Screenshots

  • labs/lab2/baseline/ — Baseline threat model outputs (report.pdf, risks.json, stats.json, diagrams)
  • labs/lab2/secure/ — Secure variant outputs with encryption controls applied
  • labs/lab2/threagile-model.yaml — Baseline architecture model
  • labs/lab2/threagile-model.secure.yaml — Secure architecture with HTTPS and encryption
  • labs/lab2/analyze_risks.py — Automated risk analysis script
  • labs/submission2.md — Complete threat modeling analysis and documentation

Checklist

  • Task 1 done — Threagile baseline model + risk analysis
  • Task 2 done — HTTPS variant + risk comparison analysis
  • PR has a clear, descriptive title
  • Documentation updated if needed
  • No secrets, credentials, or large temporary files committed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@examplefirstaccount