1 of 7

Threat Modeling Executive Summary�presented to the executive team at SecureDevAI�by ‘Team 13’

THREAT MODELING HACKATHON – SPRING 2024

SUBMITTED ON 21ST APRIL 2024

2 of 7

SecureDevAI is a recent startup with the powerful and innovative agenda "Make every dev a 10x dev!". ��However, with great innovation comes great responsibility!��Main objectives are:

  • Revolutionize the software development landscape by leveraging AI to enhance developer productivity.
  • Target individual developers as well as companies across various industries including finance, healthcare, manufacturing, IoT, etc.
  • Monetize the services and grow financially
  • Continuous development and enhancement of LLM models
  • Reduce business risk by maintaining a good security and privacy posture across the organization

3 of 7

Business Model

  • SANDBOX FOR CODE EXECUTION
  • CODE GENERATION
  • CODE AUTOCOMPLETION
  • AUTOMATED TESTING
  • CODE REFACTORING
  • Pricing model same as OpenAI pricing model
  • Billing based on token usage
  • Sandbox pricing based on execution time
  • Subscription version and community version available
  • Limited functionality available for the community version (code generation, code autocompletion, limited tokens)
  • Customers need to provide mandatory consent for usage of their code for continuous enhancement and training of LLM models

Features

4 of 7

Top Threats

  • Inadequate secrets management
  • Inadequate authentication & authorization for end users (subscribed and community)
  • Insecure web application
  • Privacy (Accessibility) threat – lack of information before asking for mandatory user consent for using their code
  • Insufficient networking solution
  • Insufficient logging and monitoring

5 of 7

Top Recommendations

  • Strong and secure authentication & authorization
  • Secure secrets management
  • Implement WAF, web app input validation
  • Implement logging and monitoring; secure storage and backup of logs
  • Implement secure networking solution
  • Provide details of the code usage for model training purposes to the users before asking for consent

6 of 7

Reference to Detailed Report

Threat Modeling Report

Threat & Mitigations Sheet

List of Attack Trees

7 of 7

SECURITY SHOULD BE BUILT IN…�…NOT BOLT ON.

Thank You!!!