Threat Model
Overview¶
FirstTry threat model uses STRIDE framework to identify, categorize, and assess threats to the application and platform integration.
STRIDE Analysis¶
| Threat | STRIDE | Mitigation | Residual Risk |
|---|---|---|---|
| Scope Escalation | Elevation of Privilege | Manifest.yml declares read-only scopes only; Forge enforces scope validation on requestJira() calls; CI gate blocks scope mutations | Low (platform-enforced) |
| API Mutation (POST/PUT/DELETE) | Tampering | Source code scans (resolver_scan.txt) verify no POST/PUT/DELETE used; CI gate blocks mutations | Low (code-verified, testable) |
| Data Tampering in Storage | Tampering | Ledger uses SHA256 hash chain; export archives signed with build identity; offline verification tools available | Low (cryptographically detected) |
| Unauthorized Data Access | Information Disclosure | Forge per-tenant isolation enforced by platform; no cross-tenant data access possible in scope | Low (platform-enforced) |
| Data Exfiltration to External Service | Information Disclosure | Zero egress audit (resolver_scan.txt); no external HTTP clients in production code | Low (code-verified) |
| Export Archive Forgery | Tampering | Deterministic ZIP build; git SHA + UI bundle hash embedded in manifest; signature verification available | Low (cryptographically detectable) |
| Ledger Replay Attack | Information Disclosure / Replay | Nonce + timestamp + hash chain prevent replay; monotonic timestamp enforcement | Low (cryptographically protected) |
| Compromise of Development Infrastructure | Tampering / Elevation | Git commit history immutable; signed tags recommended; 2FA on github.com/Firsttry-Solutions | Medium (depends on GitHub security) |
| Dependency Vulnerability | Tampering / Information Disclosure | npm audit enforced in CI; trivy scan in evidence; SBOM generated; SCA tools enabled | Low (monitored, tested) |
| Forge Platform Outage | Denial of Service | No mitigation available; FirstTry depends on Forge SLA; customers should export regularly | High (platform dependency) |
| Jira API Rate Limiting | Denial of Service | Forge handles rate-limit enforcement; app implements exponential backoff; optional retry logic | Medium (platform-dependent) |
| Unauthorized Repository Access | Tampering / Information Disclosure | GitHub repo is private; branch protection on main; code review required; audit logs available | Low (GitHub-enforced) |
| Audit Ledger Deletion | Repudiation | Forge Storage immutability at platform level; ledger is append-only; deletion requires uninstall | Low (platform-enforced) |
| Tenant Isolation Bypass | Information Disclosure | Forge platform guarantees per-tenant isolation; no application-level tenant confusion possible | Low (platform-enforced) |
Threat Severity Rating¶
| Rating | Criteria | CVSS | Action |
|---|---|---|---|
| Critical | Unmitigated, exploitable, disastrous impact | ≥9.0 | Immediate patch; escalate to Atlassian if platform issue |
| High | Significant impact; requires effort to exploit | 7.0–8.9 | Patch within 7 days; security advisory |
| Medium | Moderate impact; mitigations available | 4.0–6.9 | Patch within 30 days; document in release notes |
| Low | Minimal impact; unlikely to exploit | <4.0 | Patch in next regular release |
Threat Elimination Rationale¶
Why these threats are acceptable¶
Forge Dependency (Unavailable): FirstTry does not own or operate hosting infrastructure. Acceptance: Platform SLA is known; customers can select alternative tools if risk-intolerant. Mitigation: Regular exports.
Development Infrastructure: GitHub account security is shared responsibility with GitHub's security controls. Acceptance: GitHub SOC2 Type II certified; code review mitigates. Mitigation: Signed commits; branch protection.
Dependency Vulnerabilities (Ongoing): Dependencies update continuously; zero-day vulnerabilities may exist. Acceptance: Industry-standard SCA tools (npm audit, trivy) employed. Mitigation: CI gates fail on high-severity findings.
Mitigations by Category¶
Platform-Enforced (FirstTry cannot influence)¶
- Scope validation (Forge requestJira API)
- Per-tenant storage isolation (Forge Storage)
- Encryption at rest (Forge Storage AES-256)
- TLS in transit (Forge platform)
- Rate limiting and DDoS protection (Atlassian infrastructure)
Code-Verified (evidence artifacts)¶
- No external HTTP clients (resolver_scan.txt)
- No POST/PUT/DELETE mutations (resolver_scan.txt)
- Deterministic exports (export tests)
- Immutable ledger (hash chain formula)
- No scope escalation (manifest.yml lock + CI gate)
Customer-Controlled¶
- Selecting region (Atlassian site setup)
- Setting Jira permissions (RBAC)
- Exporting compliance evidence (regular schedules)
- Uninstalling app (data deletion trigger)
Threat Monitoring¶
Ongoing (per CI/CD pipeline):
- Dependency scanning: npm audit run on each build
- Image scanning: trivy fs . (filesystem scan)
- SBOM generation: CycloneDX SBOM for transparency
- Code mutation detection: resolver_scan.txt verifies no POST/PUT/DELETE added
- Scope drift detection: manifest.yml immutability enforced
Periodic (annual review):
- Architectural review: Check for new threat vectors
- Control assessment: Verify mitigations still effective
- Dependency audit: npm ls for known CVEs
- Forge platform updates: Review for new Forge capabilities or risks
References¶
- ARCHITECTURE.md: System design and trust boundaries
- SECURITY_OVERVIEW.md: Shared responsibility model
- VULNERABILITY_DISCLOSURE_POLICY.md: Incident reporting
- docs/operations/INCIDENT_RESPONSE_PLAN.md: Response procedures