Threat-Model a Patient-Intake Web App for a Telemedicine Startup
Overview
What this challenge is about.
Receive the architecture diagram (Next.js front-end, Node.js API, PostgreSQL, S3 for ID-photo uploads, Clerk for auth), the data-flow description for patient intake, and the SOC 2 control mappings. Build a STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) threat model with at least 20 identified threats across the patient-intake flow. Score each threat using DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) or a simple likelihood-impact matrix. Propose concrete mitigations for the top 10, mapping each to a SOC 2 control. Deliver the threat-model document, the data-flow diagram, the prioritized threat register, and a 4-page mitigation roadmap for the engineering manager.
The Brief
What you'll do, and what you'll demonstrate.
Produce a STRIDE-based threat model for a patient-intake web app, prioritize the top 10 threats, and propose mitigations that map to SOC 2 controls.
Earning criteria — what you'll demonstrate
- Apply STRIDE systematically to a real web-app data flow
- Score threats using DREAD or a defensible likelihood-impact matrix
- Map technical mitigations to compliance controls (SOC 2)
- Communicate threat-model results to engineering leadership
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.