Threat Model Overview

Systems In Scope

The Mall on Rails application server, job server, database server, and the WTI SSO authentication server are all in scope for the MoR threat model.

Ancillary services, such as GitLab (a malicious MR), are not specifically included in the MoR threat model. It is assumed that the development team will carefully monitor any external contributions for security threats.

Threat Actors

We prioritise network attackers as our primary threat actor. These attackers are external to WTI, and attempt to breach the system over the Internet.

We view physical attackers as a lower priority, but still present. There are two classes: physical attackers who gain access to a WTI office, and physical attackers who gain access to the datacentre. We have multiple layers of redundancy in place to prevent data leaks in these cases.

We class internal threats as the lowest priority. We still defend against this by using the principles of least privilege, in-depth non-repudiable logging, and user account-based auditing.

Mitigation of STRIDE threats

We have mitigations in place for all forms of STRIDE threats. The specific mitigations in place per-threat are considered to be sensitive information, as we do not want attackers to be aware of the countermeasures we have deployed. Registered store owners can request a copy of our full threat model and report via WTI Client Care. Interested security researchers and open-source community members may reach out via WTI Open Outreach; however, those without a "need to know" may receive limited information due to the sensitive nature of security-related documentation. We appreciate your understanding as we work to balance the need of security and the need of the greater community.