Threat Modeling Assignment - CS456 Consider that you are the security team for the following software development project: Your customer is a local auction firm called MooTube Auctions. Mootube specializes in onsite farm, household, and video store (hence the "tube") auctions and they need a software system designed to handle their auction events. The company has three employees - an auctioneer (also the MooTube owner), a clerk and a flunky. Computing hardware of the company includes a mySQL database server, a web server to handle all auction transactions, and two iPads - one for the clerk and one for the flunky. All of these devices communicate by WIFI and Internet, except the two servers, which are connected on a proprietary in- house LAN and protected behind a perimeter firewall. All communication with the iPads uses unencrypted http protocols. MooTube also uses their website and database server to advertise their various business with a typical Internet retail presence, but the associated software to implement MooTube web pages was written by another company and not part of this project. Each auction is a new event and only buyers registered on that day may bid. To register a potential buyer must show see the clerk who photographs the individual's driver's license. Your software must check this individual against your database of folks who have not paid their debts from a prior auction and against the DMV's database of criminals and/or invalid driver's licenses. Each registrant must also supply their email address to the clerk. Authenticated buyers are each given a uniquely numbered placard that they must wave in order to place a bid. As the auction proceeds, the flunky with the second iPad enters each purchase into a purchase database. The purchase must indicate three things: an ID code for the item purchased, a dollar amount to be paid and the placard number of the buyer. Buyers can check out with the clerk at any time within two hours after the auction ends. To check out the purchaser must show his/her placard and then present a credit card to the clerk. The clerk enters the credit card info and your application uses a standard third-party system to verify that the card is legitimate and has sufficient credit to cover the purchase. The purchaser receives an invoice that is emailed by your software to the email address supplied at the time of registration. The day after the auction the database of purchase transactions and the database of buyers is archived. Also at this time, all buyers with unpaid bills are added to the buyers with unpaid bills database. The auctioneer is the only person with admin privilege on the web and database servers. The auctioneer chooses when to create and destroy the customer databases, and can manually alter any field of any database record. Each of the three employees has a separate role that allows them to perform only the functions as described. Your servlet must allow the MooTube owner create, delete and modify new users. Each user is given one of the three roles, along with a user name and password. User authentication to your system is handled through a web servlet regardless of device, and all user accounts are maintained by the web server. Your program maintains a log file on the web server of all logins and logouts.