Question 1:400 words
Since we know that this particular instance of the AppMaker implements a customer-facing store that processes financial transactions, how does that influence which threat agents may be interested in attacking it?
Question 2:600 words
The network restrictions surrounding the web authentication service is one layer of defense. As was noted, this component is too valuable to trust to a single defense. Furthermore, authentication requests are tendered by the least-trusted component in the architecture. That component, HTTP termination, resides on the least-trusted network. What additional steps can be taken?