Feature/lab2

[ellilin]

Goal

Complete Lab 2: Threat Modeling with Threagile for OWASP Juice Shop v19.0.0. This PR demonstrates automated threat modeling using Threagile's "threat-model-as-code" approach, comparing baseline vs secure architecture variants to quantify the impact of security controls (HTTPS encryption, transparent storage encryption).

Changes

• Threagile Baseline Model: Created YAML-based threat model for OWASP Juice Shop with HTTP communication and unencrypted storage
• Baseline Analysis: Generated comprehensive threat model report, identified top 5 risks using composite scoring methodology (Severity×100 + Likelihood×10 + Impact)
• Threagile Secure Variant: Implemented security controls:
  • Changed User Browser → Direct to App: HTTP → HTTPS
  • Changed Reverse Proxy → App: HTTP → HTTPS
  • Changed Persistent Storage: no encryption → transparent encryption
• Risk Comparison: Generated delta analysis showing 3 risks eliminated (13% reduction: 2× unencrypted-communication, 1× unencrypted-asset)
• Documentation: Created detailed labs/submission2.md with risk analysis, methodology, and security recommendations

Testing

• Threagile Generation: Successfully ran threagile/threagile Docker container for both baseline and secure variants
• Output Verification: Confirmed all expected artifacts generated (report.pdf, data-flow-diagram.png, data-asset-diagram.png, risks.json, stats.json, technical-assets.json)
• Risk Analysis: Validated composite scoring methodology across all identified risks
• Delta Comparison: Generated and verified risk category comparison using jq command from lab instructions

Artifacts & Screenshots

Generated Reports:

• Baseline: labs/lab2/baseline/report.pdf - Full PDF threat model report (6 pages)
• Secure: labs/lab2/secure/report.pdf - Full PDF threat model report with security controls (6 pages)

Diagrams:

• Baseline Data Flow: labs/lab2/baseline/data-flow-diagram.png (228 KB) - Shows HTTP communication links and trust boundaries
• Secure Data Flow: labs/lab2/secure/data-flow-diagram.png (228 KB) - Shows HTTPS communication links with security controls
• Data Asset Diagrams: labs/lab2/baseline/data-asset-diagram.png and labs/lab2/secure/data-asset-diagram.png

Risk Analysis:

• Top 5 Baseline Risks (from labs/submission2.md):
  1. Unencrypted Communication (Direct to App) - Score: 433
  2. Unencrypted Communication (Proxy to App) - Score: 432
  3. Cross-Site Scripting (XSS) - Score: 432
  4. Missing Authentication (Proxy to App) - Score: 432
  5. Cross-Site Request Forgery (CSRF) - Score: 334

Risk Category Delta Table:

Category	Baseline	Secure	Δ
unencrypted-asset	2	1	-1 ✅
unencrypted-communication	2	0	-2 ✅

Key Finding:

Implementing HTTPS and transparent encryption reduced total threat landscape by 3 risks (13%), demonstrating measurable security improvement from basic controls. However, application-level vulnerabilities (XSS, CSRF, SSRF) remain, highlighting need for defense-in-depth.

---

Checklist

• Clear title following conventional commits (e.g., feat:, fix:, docs:)
  • Title: docs: add lab2 submission - threat modeling with Threagile
• Documentation updated if needed
  • Created comprehensive labs/submission2.md with full analysis
• No secrets or large temporary files included
  • All artifacts are generated threat model outputs (PDFs, PNGs, JSONs)
  • YAML models contain no secrets (sample configuration only)

---

Lab Tasks Completed:

• Task 1 done — Threagile baseline model + risk analysis (6 pts)
• Task 2 done — HTTPS variant + risk comparison (4 pts)