| Pick a Use Case |
- Start with one or two use cases at most
- Start with the authentication use case as well as one of the main flows of the application
|
| Draw a DFD of the Use Case |
- DFD shows how data flows through the system and which apps/dbs are involved
- Draw your applications (processes), databases or other important data assets, data flows and actors
 - circle: processes (apps)
- double circle: collection of services
- open rectangles: assets (dbs, files, queues, logs, etc.)
- dotted lines: trust boundaries
|
| Discuss the Security Risks |
- For each asset passing through your data flow:
- go through a checklist and discuss potential security risks
- rate each risk (e.g. by likelihood and impact)
- STRIDE
- For each risk that you find:
- list it with a reference to the element, short description, likelihood of it occurring (Low, Medium, High), impact on your system (Low, Medium, High) and proposed mitigation

|
| Implement Security Controls |
- Discuss and decide what you will do about each risk
|