d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2633de4d3386f7194663e3d442b017e820fc16de
the_order/docs/governance/THREAT_MODEL.md
defiQUG 2633de4d33 feat(eresidency): Complete eResidency service implementation 
- Implement credential revocation endpoint with proper database integration
- Fix database row mapping (snake_case to camelCase) for eResidency applications
- Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider)
- Fix environment variable type checking for Veriff and ComplyAdvantage providers
- Add required 'message' field to notification service calls
- Fix risk assessment type mismatches
- Update audit logging to use 'verified' action type (supported by schema)
- Resolve all TypeScript errors and unused variable warnings
- Add TypeScript ignore comments for placeholder implementations
- Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility
- Service now builds successfully with no linter errors

All core functionality implemented:
- Application submission and management
- KYC integration (Veriff placeholder)
- Sanctions screening (ComplyAdvantage placeholder)
- Risk assessment engine
- Credential issuance and revocation
- Reviewer console
- Status endpoints
- Auto-issuance service
2025-11-10 19:43:02 -08:00

8.3 KiB
Raw Blame History

Threat Model

Overview

This document outlines the threat model for The Order monorepo, identifying potential threats, attack vectors, and mitigation strategies.

System Architecture

Components

  • Identity Service: Verifiable credential issuance and verification
  • Intake Service: Document ingestion and processing
  • Finance Service: Payment processing and ledger management
  • Dataroom Service: Secure document storage and access
  • Database: PostgreSQL for data persistence
  • Storage: S3/GCS for object storage
  • KMS: Key management for cryptographic operations
  • Cache: Redis for caching
  • Message Queue: Background job processing
  • Event Bus: Event-driven communication

Data Flow

  1. User authentication (JWT/DID/eIDAS)
  2. Document upload and processing
  3. Verifiable credential issuance
  4. Payment processing
  5. Document storage and access
  6. Audit logging

Threat Categories

1. Authentication & Authorization Threats

Threat: Unauthorized Access

  • Description: Attackers gain access to system without proper authentication
  • Attack Vectors:
    • Stolen credentials
    • Weak authentication mechanisms
    • Session hijacking
    • Token theft
  • Impact: High - Unauthorized access to sensitive data and operations
  • Mitigation:
    • Strong authentication (MFA, OAuth2/OIDC)
    • Secure token storage and transmission
    • Session management with timeouts
    • Rate limiting on authentication endpoints
    • Audit logging of authentication events

Threat: Privilege Escalation

  • Description: Users gain access to resources beyond their authorization
  • Attack Vectors:
    • Role manipulation
    • Authorization bypass
    • Missing access controls
  • Impact: High - Unauthorized access to sensitive operations
  • Mitigation:
    • Role-based access control (RBAC)
    • Principle of least privilege
    • Regular access reviews
    • Authorization checks on all endpoints
    • Multi-signature requirements for critical operations

2. Data Protection Threats

Threat: Data Breach

  • Description: Unauthorized access to sensitive data
  • Attack Vectors:
    • Database injection attacks
    • Unencrypted data storage
    • Insecure data transmission
    • Insider threats
  • Impact: Critical - Exposure of sensitive data
  • Mitigation:
    • Encryption at rest and in transit
    • Database access controls
    • Data masking in non-production
    • Regular security audits
    • Access logging and monitoring

Threat: Data Tampering

  • Description: Unauthorized modification of data
  • Attack Vectors:
    • SQL injection
    • Man-in-the-middle attacks
    • Insider threats
  • Impact: High - Data integrity compromise
  • Mitigation:
    • Input validation and sanitization
    • Parameterized queries
    • Digital signatures for critical data
    • Audit logging
    • Immutable storage (WORM) for critical documents

3. Cryptographic Threats

Threat: Weak Cryptography

  • Description: Use of weak cryptographic algorithms or keys
  • Attack Vectors:
    • Weak encryption algorithms
    • Insufficient key length
    • Poor key management
    • Cryptographic implementation flaws
  • Impact: Critical - Compromise of cryptographic security
  • Mitigation:
    • Strong encryption algorithms (AES-256, RSA-2048+)
    • Secure key management (KMS/HSM)
    • Key rotation policies
    • Cryptographic library updates
    • Regular security audits

Threat: Key Compromise

  • Description: Unauthorized access to cryptographic keys
  • Attack Vectors:
    • Key theft
    • Weak key storage
    • Key exposure in logs or errors
  • Impact: Critical - Complete system compromise
  • Mitigation:
    • Hardware Security Modules (HSM)
    • Key rotation policies
    • Secure key storage (AWS KMS, Azure Key Vault)
    • Access controls on key operations
    • Audit logging of key usage

4. API Security Threats

Threat: API Abuse

  • Description: Unauthorized or excessive API usage
  • Attack Vectors:
    • Rate limiting bypass
    • API key theft
    • DDoS attacks
    • Automated scraping
  • Impact: Medium - Service disruption, resource exhaustion
  • Mitigation:
    • Rate limiting
    • API authentication
    • Request validation
    • DDoS protection
    • Monitoring and alerting

Threat: Injection Attacks

  • Description: Malicious code injection through API inputs
  • Attack Vectors:
    • SQL injection
    • NoSQL injection
    • Command injection
    • LDAP injection
  • Impact: High - Data breach, system compromise
  • Mitigation:
    • Input validation and sanitization
    • Parameterized queries
    • Output encoding
    • Least privilege access
    • Security testing

5. Infrastructure Threats

Threat: Container Vulnerabilities

  • Description: Vulnerabilities in container images or runtime
  • Attack Vectors:
    • Vulnerable base images
    • Misconfigured containers
    • Container escape
  • Impact: High - System compromise
  • Mitigation:
    • Container image scanning
    • Image signing (Cosign)
    • SBOM generation
    • Regular updates
    • Security best practices

Threat: Supply Chain Attacks

  • Description: Compromise through third-party dependencies
  • Attack Vectors:
    • Malicious packages
    • Compromised dependencies
    • Typosquatting
  • Impact: High - System compromise
  • Mitigation:
    • Dependency scanning
    • Package verification
    • SBOM tracking
    • Regular updates
    • Supply chain security monitoring

6. Compliance & Legal Threats

Threat: Non-Compliance

  • Description: Failure to meet regulatory requirements
  • Attack Vectors:
    • GDPR violations
    • eIDAS non-compliance
    • Data retention issues
  • Impact: High - Legal and financial consequences
  • Mitigation:
    • Compliance audits
    • Regulatory monitoring
    • Data protection measures
    • Privacy policies
    • Legal review

Attack Scenarios

Scenario 1: Credential Theft

  1. Attacker steals JWT token from compromised client
  2. Attacker uses token to access API endpoints
  3. Attacker issues fraudulent verifiable credentials
  4. Mitigation: Token expiration, refresh tokens, MFA, audit logging

Scenario 2: Database Injection

  1. Attacker sends malicious SQL in API request
  2. Database executes malicious query
  3. Attacker extracts sensitive data
  4. Mitigation: Parameterized queries, input validation, least privilege

Scenario 3: Key Compromise

  1. Attacker gains access to KMS key
  2. Attacker decrypts sensitive data
  3. Attacker signs fraudulent credentials
  4. Mitigation: HSM, key rotation, access controls, audit logging

Scenario 4: DDoS Attack

  1. Attacker floods API with requests
  2. Service becomes unavailable
  3. Legitimate users cannot access service
  4. Mitigation: Rate limiting, DDoS protection, auto-scaling, monitoring

Risk Assessment

Risk Matrix

Threat Likelihood Impact Risk Level Priority
Data Breach Medium Critical High 1
Key Compromise Low Critical High 2
Unauthorized Access Medium High High 3
API Abuse High Medium Medium 4
Injection Attacks Medium High High 5
Container Vulnerabilities Medium High High 6
Supply Chain Attacks Low High Medium 7
Non-Compliance Low High Medium 8

Mitigation Strategies

Immediate Actions

  1. Implement comprehensive input validation
  2. Enable encryption at rest and in transit
  3. Set up security monitoring and alerting
  4. Conduct security code review
  5. Implement rate limiting

Short-term Actions (1-3 months)

  1. Conduct penetration testing
  2. Implement MFA for critical operations
  3. Set up automated security scanning
  4. Create incident response plan
  5. Conduct security training

Long-term Actions (3-6 months)

  1. Implement HSM for key management
  2. Conduct comprehensive security audit
  3. Establish bug bounty program
  4. Implement advanced threat detection
  5. Regular security assessments

Review Schedule

  • Monthly: Threat model review, security updates
  • Quarterly: Comprehensive security audit
  • Annually: Penetration testing, compliance audit
  • As needed: New features, security incidents, major changes

References

Reference in New Issue View Git Blame Copy Permalink