Allergy Recommender App Security Hackathon

“April showers bring May flowers”, as they say… For many of us, those flowers may come with some nasty seasonal allergies.

We are (hypothetically, for the sake of this exercise) designing an app to provide customized recommendations to help individuals alleviate their seasonal allergy symptoms.

Call for Diverse Input:

We are seeking diverse perspectives in helping us think through security, safety and privacy issues and how to address them in our (hypothetical) application’s design. Of course, you’ll want to get specific what you imagine this app’s design to be in ordered to properly think about security considerations.

You may wish to address one or more of the following questions in your explanations or models (as well as many other considerations):

  • What types of security, privacy or safety threats or risks might you want to account for throughout in designing this system? What are some steps you might want to take to mitigate these concerns?
  • What are the components of the system you (hypothetically) plan to build? Think software component analysis, supply chain, etc.
  • What types of industry-specific regulatory requirements (if any) might you want to prioritize in developing this system?
  • What types of personally identifiable information (PII) might the application collect and process from its users? What are some security, safety or privacy related concerns that might be particularly relevant in developing this system? What might you do about this in working to protect personal data?
  • What other stakeholder groups might be harmed if this application were to be compromised (in addition to its users, who are just seeking data-driven help with their allergies)?
  • What types of “bad actors” might wish to compromise the confidentiality, integrity or availability of this application, or any of its parts?

Deliverables participants may want to submit

  • Threat modeling deliverables (attack tree, data flow diagram, textual representation). You may also submit as a pull request to the OWASP Threat Model Cookbook, in order to share your threat modeling “recipe” with the open source security community.
  • A questionnaire or checklist for a potential development team (along with possible answers and explanations for your choice of questions).
  • Answers to some of the questions posed in the above list.