Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Christian Schneider
    @cschneider4711
    Hello World
    Now the Threagile Gitter community is live... ;)
    Looking forward to nice discussions... Ask your questions and get your threats mitigated ;)
    Christian Schneider
    @cschneider4711
    daniel-e
    @daniel-e
    Hi @cschneider4711 , thank you for inviting me. Hope the community will grow quickly. ;)
    dawic-33
    @dawic-33
    Hi everyone, i'm pretty new to the concept of thread modelling. Are there any source which explains how to make a good thread model?
    Christian Schneider
    @cschneider4711
    Hi @dawic-33 , very important question... Eventually the OWASP Cheat Sheet about Threat Modeling can be used as a good starting point? https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
    dawic-33
    @dawic-33
    Hi @cschneider4711 thanks for the help :)
    Martin Müller
    @mum-viadee
    Hi @cschneider4711 ,
    I'm currently trying threagile for the first time and get some errors regarding the model. The error message is not meaningful. "Unknown 'machine' of technical asset:" Could you please help?
    Martin Müller
    @mum-viadee
    Ok. Now I've solved it myself. The property machine is not mandatory in your current schema.json. It's an additional property. But threagile seems to depend on it.
    Christian Schneider
    @cschneider4711
    Hi @mum-viadee , thx for the info, nice that you solved it already... ;) In case of any other questions, just keep posting ;) Have a nice weekend...
    antisocialengineering
    @0xbadc0_de_twitter
    How do you generally deal with notional options, such as something that could be deployed as either a VM or a physical system or a container?
    Christian Schneider
    @cschneider4711
    Personally I'd choose the most probable installation/setup type for this one (like how the recommended or most often used style to operate the system you're modeling is). But it would also be a nice idea to include an "unknown" value in these notional options enumeration. What do you think, would adding "unknown" to the list of "machine" and other notional optional values help?
    antisocialengineering
    @0xbadc0_de_twitter
    Unknown helps for some instances, variable for others, as these may be considered variable to an architecture implementation, or conditional mitigators when moving to operations.
    Christian Schneider
    @cschneider4711
    Yep, true, so mostly it will indeed be "variable" (as when someone models something, mostly they have some info about what they're modeling, so "variable" would be a better choice than "unknown")...
    antisocialengineering
    @0xbadc0_de_twitter
    How do you envision standard asset and component storage? It'd be cool to have some level of trusted element thing, where the threats and boundaries are pre-built for selectable mappings. So you might provide a set of generic things like clients, servers and VPNs with related risk and design issues, but I might provide specific things like Chrome 23, Dell R710s, or Wireguard, so designs can become choosing assets instead of naming them. Just thinking out loud...
    I like having variable and unknown, as they're different use cases.
    Christian Schneider
    @cschneider4711
    Nice ideas... so in terms of different (generic) types of tech assets there's already a bunch to choose from (like those selectable from "technology" enum for each tech asset). Is that what you mean? And having built-in risks for those is to have risk-rules firing when these types are used, so mostly already there... Or do you mean something more specific than the "technology" enum values?
    antisocialengineering
    @0xbadc0_de_twitter
    Nope, the technology enums are a great start, but I'm sort of trying to think about getting those expanded to sets, so people could offer up specific ones- I'm also struggling with differentiating between generic architectures, which could be easily shared as best practices or out to customers and specific operational or development details which might be more closely held, if that makes sense.
    Christian Schneider
    @cschneider4711
    ah ok, like a hierarchy of tech-types... nice idea, so that would make it easier to group things..
    ... in terms of having something like model templates to choose from: eventually the model-macro feature might help, but that needs code (but then would be interactive for customers to choose values). So a more template like approach where parent-type of tech can be made concrete inside a model is what you're thinking about, I assume. Sounds good...
    antisocialengineering
    @0xbadc0_de_twitter
    I see a lot of common issues, especially assessing operational stuff- if it's a Dell server, 99 times out of 100, it's got iDRAC on a user network, and iDRAC hasn't ever been updated... I could make a library of server types with those sort of issues (thinking of threagile in an assessment rather than a dev role here) that I could offer up for you to use, but you'd probably not want to use HP's version...
    Exactly- then a drop-down UI to chose things becomes junior developer-friendly
    Christian Schneider
    @cschneider4711
    UI: yeah... indeed... That's what the REST API is about (tip: the REST API already covers way more than in the Swagger-doc listed, but this part is not fully finished yet). Here a Web-based SPA could be built to do things like "add tech asset" or "individualize tech asset" against the REST API... soon more to come...
    Feel free to provide whatever starting ground of tech types to put into this... Input of any sort is always welcomed and much appreciated... I'll set something up on the GitHub project site to collect this tech types etc...