#Q1. You are a security analyst at an organization that runs several web applications. Your CIO is interested in using threat modeling as part of the software
development lifecycle. Provide her an overview of threat modeling and the value it would provide to your company – you need to choose between an
asset/risk-based or threat/security-based approach. As part of your overview include a detailed explanation of the appropriate threat model for your
approach (e.g., PASTA or STRIDE or another standardized methodology), which should address the different objectives the model attempts to achieve, and
provide two potential mitigations for each threat/attack scenario. [75 points]
You can make any assumptions you want about the web application, just make sure you explain them in the essay. Avoid any examples that might be in the
textbook.
#Q2. Describe an attack tree and what it is used for. Provide an example attack tree on how you would cheat on this Final exam. (Do not cheat on this exam
or test your attack tree. This is a thought exercise only). [25 points]
[Special Note for Q2: You do not need all three basic components of an essay for this response, as long as you provide a thorough/complete descriiption of
an attack tree.]
