Table of Contents
The focus of this exercise should not be a software application but it should be done with business & user context. Once the threat analysis is conducted then you may certainly limit the implementation scope to software product as realized with the priority decision. For example you may fully cover the software specific scope but what if you admin/end users are storing system credentials on a file share etc. In spite of full implementation on software side this one weakness if exploited, it would make all other efforts useless.