Skip to content
Lee Kim ERP

Threat model

Purpose

Section titled “Purpose”

Complement the actionable Security checklist with a structured threat model: what we protect, where trust boundaries are, and how common threat classes map to controls. This is not a full formal STRIDE workshop write-up for every deployment — it is a baseline for security reviews and handover.

For lightweight starter tables, the checklist still contains a short STRIDE section; this page adds boundaries and assets.

Scope

Section titled “Scope”
In scopeOut of scope
leekimerp on Frappe / ERPNext, Bench, MariaDBPhysical datacenter security (hosting provider)
Whitelisted Python APIs (@frappe.whitelist)End-user phishing training
Inbound webhooks (Stripe, Xero, etc.)Legal privacy notices — separate process
Desk session, CSRF, and integration secrets

Trust boundaries (conceptual)

Section titled “Trust boundaries (conceptual)”

Bench / Frappe

Edge / reverse proxy

Internet

Browser / SPA

SaaS webhooks

(Xero, Stripe, …)

TLS termination

rate limits

Whitelisted APIs

+ Desk

Background workers

scheduler

MariaDB

Trust drops at: TLS edge (unauthenticated internet), guest API surface (no session), webhook handlers (forged payloads without signatures).

Assets

Section titled “Assets”
AssetWhy it matters
Tenant / company financial dataSales, payroll, PII — confidentiality and integrity
Integration tokensXero, Stripe, DocuSign, Singpass — forge or steal → account takeover
User sessionsDesk and portal — session hijack
Audit logsCompliance — tampering

STRIDE summary (aligned with controls)

Section titled “STRIDE summary (aligned with controls)”
ThreatExample in this stackPrimary controls
SpoofingFake webhook claiming to be StripeSignature verification, idempotency keys
TamperingModified AR data via APIRole permissions, DocType rules, server-side validation
Repudiation“We never sent that payment”Doc revision log, webhook logs, provider dashboards
Information disclosurePII in API responses or logsField permissions, redact logs (Security checklist)
Denial of serviceBrute force on guest endpointsRate limits at proxy; heavy work in background queues
Elevation of privilegeUser A sees Company Buser_permissions, company filters, test with multiple users

High-priority surfaces

Section titled “High-priority surfaces”
  1. allow_guest=True methods — inventory in API inventory; treat every addition as a security review trigger.
  2. Webhooks — must verify signatures and reject replayed events per vendor docs.
  3. SQL — parameterized queries; audit string-built SQL in legacy helpers.

Review cadence

Section titled “Review cadence”
ActivitySuggested frequency
Re-read this page + checklist after major integration or auth changePer release
Full boundary diagram updateAnnual or when network architecture changes
Access review (Administrator, integration keys)Security checklist table
Section titled “Related”