Conversation
Closed
6 tasks
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Update MFA status across THREAT_MODEL.md to accurately reflect that Multi-Factor Authentication via Google Authenticator is fully implemented. Changes: - STRIDE mitigation table: MFA badge changed from Planned to Implemented - Critical Assets table: Added MFA implementation evidence link - Priority Threat Scenarios: Added MFA as existing credential compromise mitigation - STRIDE→Control Mapping: Added Google Authenticator service class reference Cross-document consistency verified with SECURITY_ARCHITECTURE.md and ISMS_COMPLIANCE_MAPPING.md (both already correct). Resolves ISO 27001 A.5.17 documentation accuracy requirement. Agent-Logs-Url: https://github.com/Hack23/cia/sessions/3ee3afd7-b10c-4bc8-a91e-cc544c0b4106 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix THREAT_MODEL.md MFA status discrepancy
docs: Fix THREAT_MODEL.md MFA status discrepancy — "Planned" → "Implemented"
Apr 5, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Updates THREAT_MODEL.md to correct the documented MFA status and references so it aligns with the already-implemented Google Authenticator OTP MFA in the codebase and other security documents.
Changes:
- Marks MFA as Implemented (instead of Planned) in the STRIDE/MITRE mitigation mapping and updates references accordingly.
- Updates critical assets and threat scenarios to explicitly include Google Authenticator OTP MFA as an existing control, with evidence links.
- Extends STRIDE→Control mapping to reference the MFA implementation evidence.
THREAT_MODEL.md
Outdated
Comment on lines
299
to
302
| | **Multi-Factor Authentication** | [M1032: Multi-factor Authentication](https://attack.mitre.org/mitigations/M1032/) | [T1078](https://attack.mitre.org/techniques/T1078/), [T1110](https://attack.mitre.org/techniques/T1110/) | [](SECURITY_ARCHITECTURE.md#authentication) | | ||
| | **AWS CloudTrail** | [M1047: Audit](https://attack.mitre.org/mitigations/M1047/) | [T1098](https://attack.mitre.org/techniques/T1098/) | [](SECURITY_ARCHITECTURE.md#audit-logging) | | ||
| | **VPC Security Groups** | [M1030: Network Segmentation](https://attack.mitre.org/mitigations/M1030/) | [T1041](https://attack.mitre.org/techniques/T1041/) | [](SECURITY_ARCHITECTURE.md#network-security) | | ||
| | **Spring Security** | [M1035: Limit Access](https://attack.mitre.org/mitigations/M1035/) | [T1068](https://attack.mitre.org/techniques/T1068/), [T1078](https://attack.mitre.org/techniques/T1078/) | [](SECURITY_ARCHITECTURE.md#authentication) | |
There was a problem hiding this comment.
The link target SECURITY_ARCHITECTURE.md#authentication doesn’t appear to match any heading anchor in SECURITY_ARCHITECTURE.md. The relevant section is ## 🔑 Authentication Architecture, which GitHub anchors as #-authentication-architecture (see SECURITY_ARCHITECTURE.md Table of Contents). Please update this link to the correct anchor (and consider aligning the similar Spring Security row which uses the same #authentication anchor).
Suggested change
| | **Multi-Factor Authentication** | [M1032: Multi-factor Authentication](https://attack.mitre.org/mitigations/M1032/) | [T1078](https://attack.mitre.org/techniques/T1078/), [T1110](https://attack.mitre.org/techniques/T1110/) | [](SECURITY_ARCHITECTURE.md#authentication) | | |
| | **AWS CloudTrail** | [M1047: Audit](https://attack.mitre.org/mitigations/M1047/) | [T1098](https://attack.mitre.org/techniques/T1098/) | [](SECURITY_ARCHITECTURE.md#audit-logging) | | |
| | **VPC Security Groups** | [M1030: Network Segmentation](https://attack.mitre.org/mitigations/M1030/) | [T1041](https://attack.mitre.org/techniques/T1041/) | [](SECURITY_ARCHITECTURE.md#network-security) | | |
| | **Spring Security** | [M1035: Limit Access](https://attack.mitre.org/mitigations/M1035/) | [T1068](https://attack.mitre.org/techniques/T1068/), [T1078](https://attack.mitre.org/techniques/T1078/) | [](SECURITY_ARCHITECTURE.md#authentication) | | |
| | **Multi-Factor Authentication** | [M1032: Multi-factor Authentication](https://attack.mitre.org/mitigations/M1032/) | [T1078](https://attack.mitre.org/techniques/T1078/), [T1110](https://attack.mitre.org/techniques/T1110/) | [](SECURITY_ARCHITECTURE.md#-authentication-architecture) | | |
| | **AWS CloudTrail** | [M1047: Audit](https://attack.mitre.org/mitigations/M1047/) | [T1098](https://attack.mitre.org/techniques/T1098/) | [](SECURITY_ARCHITECTURE.md#audit-logging) | | |
| | **VPC Security Groups** | [M1030: Network Segmentation](https://attack.mitre.org/mitigations/M1030/) | [T1041](https://attack.mitre.org/techniques/T1041/) | [](SECURITY_ARCHITECTURE.md#network-security) | | |
| | **Spring Security** | [M1035: Limit Access](https://attack.mitre.org/mitigations/M1035/) | [T1068](https://attack.mitre.org/techniques/T1068/), [T1078](https://attack.mitre.org/techniques/T1078/) | [](SECURITY_ARCHITECTURE.md#-authentication-architecture) | |
Member
|
@copilot apply changes based on the comments in this thread |
Update #authentication → #-authentication-architecture for both Multi-Factor Authentication and Spring Security rows to match the actual heading anchor for "## 🔑 Authentication Architecture". Agent-Logs-Url: https://github.com/Hack23/cia/sessions/4beec168-dc75-40dc-8d23-8fff51789860 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Contributor
Author
Fixed in e59bf59. Updated both the MFA row and Spring Security row anchors from |
THREAT_MODEL.md
Outdated
| | **🧠 Source Code** | Policy logic, ranking algorithms | IP theft, malicious injection | Private repo controls, dependency scanning, SLSA provenance | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | | ||
| | **🔄 Import Pipelines** | Freshness & correctness | Poisoned input, replay, API abuse | Input validation, schema checks, rate limiting | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | | ||
| | **👤 User Accounts** | Abuse vector | Credential stuffing, enumeration | Login throttling, password policy, MFA optional path | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | | ||
| | **👤 User Accounts** | Abuse vector | Credential stuffing, enumeration | Login throttling, password policy, MFA ([Google Authenticator OTP](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java)) | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | |
There was a problem hiding this comment.
The controls list here implies MFA is a general/active control, but the current login flow only enforces OTP when a Google Authenticator secret is present for the account (i.e., enrollment-based/optional MFA). Consider wording this as “optional MFA” / “MFA available (Google Authenticator OTP)” to avoid overstating enforcement.
Suggested change
| | **👤 User Accounts** | Abuse vector | Credential stuffing, enumeration | Login throttling, password policy, MFA ([Google Authenticator OTP](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java)) | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | | |
| | **👤 User Accounts** | Abuse vector | Credential stuffing, enumeration | Login throttling, password policy, optional MFA ([Google Authenticator OTP](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java)) | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | |
THREAT_MODEL.md
Outdated
| | **1** | **🌐 Web Application Compromise** | [Initial Access](https://attack.mitre.org/tactics/TA0001/) | Data integrity manipulation | Medium | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | WAF, validation, ORM parameterization | Add periodic data hash verification | | ||
| | **2** | **🔗 Supply Chain Dependency Attack** | [Initial Access](https://attack.mitre.org/tactics/TA0001/) | Code integrity & confidentiality | Medium | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | SBOM, pin SHAs, attestations | Add provenance verification policy gate | | ||
| | **3** | **🔑 Administrative Credential Compromise** | [Credential Access](https://attack.mitre.org/tactics/TA0006/) | System-wide access | Low-Med | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | Lockouts, strong policy, IP rate limiting | Enforce mandatory MFA for admin | | ||
| | **3** | **🔑 Administrative Credential Compromise** | [Credential Access](https://attack.mitre.org/tactics/TA0006/) | System-wide access | Low-Med | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | Lockouts, strong policy, IP rate limiting, [MFA implemented](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java) | Enforce mandatory MFA enrollment for all admin accounts | |
There was a problem hiding this comment.
The “MFA implemented” mitigation link is good evidence of support, but it may read as if MFA is already enforced for admins. Since residual action is to enforce mandatory enrollment, consider adjusting the mitigation wording to clarify it’s currently enrollment-based/optional MFA support (and/or link to both enable+disable services).
Suggested change
| | **3** | **🔑 Administrative Credential Compromise** | [Credential Access](https://attack.mitre.org/tactics/TA0006/) | System-wide access | Low-Med | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | Lockouts, strong policy, IP rate limiting, [MFA implemented](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java) | Enforce mandatory MFA enrollment for all admin accounts | | |
| | **3** | **🔑 Administrative Credential Compromise** | [Credential Access](https://attack.mitre.org/tactics/TA0006/) | System-wide access | Low-Med | [](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) | Lockouts, strong policy, IP rate limiting, [optional MFA enrollment support implemented](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java) | Enforce mandatory MFA enrollment for all admin accounts | |
THREAT_MODEL.md
Outdated
| | STRIDE Category | Example Threat | Primary Control | Secondary Control | Monitoring | | ||
| |----------------|----------------|-----------------|-------------------|------------| | ||
| | **🎭 Spoofing** | Credential stuffing | Throttling + password policy | MFA (admin), account lockout | Failed login attempts, IP tracking | | ||
| | **🎭 Spoofing** | Credential stuffing | Throttling + password policy | [MFA via Google Authenticator](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java), account lockout | Failed login attempts, IP tracking | |
There was a problem hiding this comment.
This row suggests MFA is a standard secondary control for credential stuffing across the board. Given the implementation only checks OTP when an MFA secret exists for the user, consider clarifying this as “optional/enrollment-based MFA via Google Authenticator” to keep the STRIDE mapping accurate.
Suggested change
| | **🎭 Spoofing** | Credential stuffing | Throttling + password policy | [MFA via Google Authenticator](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java), account lockout | Failed login attempts, IP tracking | | |
| | **🎭 Spoofing** | Credential stuffing | Throttling + password policy | [Optional/enrollment-based MFA via Google Authenticator](service.impl/src/main/java/com/hack23/cia/service/impl/action/user/SetGoogleAuthenticatorCredentialService.java), account lockout | Failed login attempts, IP tracking | |
Member
|
@copilot apply changes based on the comments in this thread |
Apply reviewer suggestions to accurately reflect that MFA via Google Authenticator is enrollment-based (optional) rather than enforced: - L105: "MFA" → "optional MFA" in critical assets table - L401: "MFA implemented" → "optional MFA enrollment support implemented" - L520: "MFA via Google Authenticator" → "Optional/enrollment-based MFA via Google Authenticator" Agent-Logs-Url: https://github.com/Hack23/cia/sessions/cbfabd8f-41cf-4d74-adb4-5a01db036d2b Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Contributor
Author
Applied all three suggestions in 2f7f84c. MFA wording now clarifies it's optional/enrollment-based across L105, L401, and L520. |
Copilot
AI
changed the title
docs: Fix THREAT_MODEL.md MFA status discrepancy — "Planned" → "Implemented"
docs: Fix THREAT_MODEL.md MFA status discrepancy — "Planned" → "Implemented (optional enrollment)"
Apr 5, 2026
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
THREAT_MODEL.md incorrectly marks MFA as "Planned" while SECURITY_ARCHITECTURE.md and the actual codebase (
SetGoogleAuthenticatorCredentialService,DisableGoogleAuthenticatorCredentialService) show it's fully implemented. This discrepancy undermines audit credibility and violates ISO 27001 A.5.17 documentation accuracy requirements.Changes to
THREAT_MODEL.md:Planned→Implemented, link targetFUTURE_SECURITY_ARCHITECTURE.md#mfa→SECURITY_ARCHITECTURE.md#-authentication-architectureMFA optional path→optional MFA (Google Authenticator OTP)with evidence link — clarifies enrollment-based natureOptional/enrollment-based MFA via Google Authenticatorto accurately reflect that OTP is only enforced when a user has enrolled#authentication→#-authentication-architectureto match the actual## 🔑 Authentication Architectureheading in SECURITY_ARCHITECTURE.mdCross-document consistency verified — SECURITY_ARCHITECTURE.md and ISMS_COMPLIANCE_MAPPING.md already correctly show MFA as implemented.
Type of Change
Primary Changes
Technical Changes
Impact Analysis
Political Analysis Impact
Technical Impact
Testing
Documentation
Screenshots
N/A — markdown documentation changes only.
Related Issues
Checklist
Additional Notes
All three security documents (THREAT_MODEL.md, SECURITY_ARCHITECTURE.md, ISMS_COMPLIANCE_MAPPING.md) now consistently report MFA as implemented. Anchor links in the STRIDE mitigation table were corrected to point to the actual
## 🔑 Authentication Architectureheading (#-authentication-architecture) in SECURITY_ARCHITECTURE.md, fixing both the MFA and Spring Security rows. MFA wording throughout was refined to clarify it is currently optional/enrollment-based (OTP is only checked when a Google Authenticator secret exists for the account), with mandatory enforcement noted as the residual action item.Security Considerations
Release Notes
Fixed documentation discrepancy in THREAT_MODEL.md where MFA was incorrectly marked as "Planned" despite being implemented via Google Authenticator OTP. Updated wording to clarify MFA is currently optional/enrollment-based (not universally enforced), with mandatory enrollment as a residual action. Corrected anchor links to SECURITY_ARCHITECTURE.md authentication section. All security documents now consistently reflect MFA implementation status.