Instructions and code for Gene Gotimer's Building a DevSecOps Pipeline workshop.
Visit our JPetStore target application at http://jpetstore.demo.secureci.com/.
Click around, visit some links, try to accomplish something to get a feel for the app. Notice what looks polished, what doesn't, where sensitive data is collected and retrieved. Get a feel for what might worry you once the application is pushed into production.
- Brainstorm
- Discuss the threats and risks
- Discuss what might make you feel more at ease about the risks
This is simple, back-of-the-napkin-type threat modeling and risk assessment. For a more methodical, detailed approach consider using the Microsoft Threat Modeling Tool in conjunction with Microsoft STRIDE, or other threat modeling methodologies