Team Members:
- Karim Ossama Elmasry
- Youssef Mohamed Kamal
- Felopater Osama Eid
This project involved threat modeling for a university financial system as part of a software security course. The system includes a new web-based portal for students, integrated with existing internal systems and managed via Active Directory (AD). The project aimed to identify and mitigate security threats using Microsoft's Threat Modeling Tool (TMT) 2016.
The university requested a secure financial system with:
- A web portal for students to manage payments and view balances.
- Separate AD domains for staff and students.
- VPN-required access for staff; HTTPS-only access for students.
- Internal encryption, firewall protections, and patch management.
- 📌 Data Flow Diagram (DFD): Created using Microsoft TMT 2016 to model system logic, data paths, and trust boundaries.
- 🧾 Threat Report: Generated automatically by TMT, including 128 unique threats with mitigation strategies where applicable.
- 🌲 Attack Tree: A visual breakdown of how an attacker might steal financial information from the system.
- Microsoft Threat Modeling Tool 2016
- Microsoft PowerPoint (for presentation)
- Microsoft Word & PDF exports
- Identified high-priority threats including impersonation, remote code execution, and replay attacks.
- Proposed mitigations such as least privilege principles, input validation, and backup systems.
- Bonus: Developed a 3-level attack tree visualizing how financial data might be compromised.
- ✅ Detailed and accurate DFD
- ✅ Realistic and practical threat mitigations
- ✅ Complete TMT-generated report with system metadata
- ✅ Bonus Attack Tree included
- Submission Deadline: January 3, 2025
- Oral Presentation: January 4, 2025
🔗 Feel free to explore the files to see how we analyzed, modeled, and secured a critical university system.