Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Christian Schneider
    @cschneider4711
    Hi @dawic-33 , very important question... Eventually the OWASP Cheat Sheet about Threat Modeling can be used as a good starting point? https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
    dawic-33
    @dawic-33
    Hi @cschneider4711 thanks for the help :)
    Martin Müller
    @mum-viadee
    Hi @cschneider4711 ,
    I'm currently trying threagile for the first time and get some errors regarding the model. The error message is not meaningful. "Unknown 'machine' of technical asset:" Could you please help?
    Martin Müller
    @mum-viadee
    Ok. Now I've solved it myself. The property machine is not mandatory in your current schema.json. It's an additional property. But threagile seems to depend on it.
    Christian Schneider
    @cschneider4711
    Hi @mum-viadee , thx for the info, nice that you solved it already... ;) In case of any other questions, just keep posting ;) Have a nice weekend...
    antisocialengineering
    @0xbadc0_de_twitter
    How do you generally deal with notional options, such as something that could be deployed as either a VM or a physical system or a container?
    Christian Schneider
    @cschneider4711
    Personally I'd choose the most probable installation/setup type for this one (like how the recommended or most often used style to operate the system you're modeling is). But it would also be a nice idea to include an "unknown" value in these notional options enumeration. What do you think, would adding "unknown" to the list of "machine" and other notional optional values help?
    antisocialengineering
    @0xbadc0_de_twitter
    Unknown helps for some instances, variable for others, as these may be considered variable to an architecture implementation, or conditional mitigators when moving to operations.
    Christian Schneider
    @cschneider4711
    Yep, true, so mostly it will indeed be "variable" (as when someone models something, mostly they have some info about what they're modeling, so "variable" would be a better choice than "unknown")...
    antisocialengineering
    @0xbadc0_de_twitter
    How do you envision standard asset and component storage? It'd be cool to have some level of trusted element thing, where the threats and boundaries are pre-built for selectable mappings. So you might provide a set of generic things like clients, servers and VPNs with related risk and design issues, but I might provide specific things like Chrome 23, Dell R710s, or Wireguard, so designs can become choosing assets instead of naming them. Just thinking out loud...
    I like having variable and unknown, as they're different use cases.
    Christian Schneider
    @cschneider4711
    Nice ideas... so in terms of different (generic) types of tech assets there's already a bunch to choose from (like those selectable from "technology" enum for each tech asset). Is that what you mean? And having built-in risks for those is to have risk-rules firing when these types are used, so mostly already there... Or do you mean something more specific than the "technology" enum values?
    antisocialengineering
    @0xbadc0_de_twitter
    Nope, the technology enums are a great start, but I'm sort of trying to think about getting those expanded to sets, so people could offer up specific ones- I'm also struggling with differentiating between generic architectures, which could be easily shared as best practices or out to customers and specific operational or development details which might be more closely held, if that makes sense.
    Christian Schneider
    @cschneider4711
    ah ok, like a hierarchy of tech-types... nice idea, so that would make it easier to group things..
    ... in terms of having something like model templates to choose from: eventually the model-macro feature might help, but that needs code (but then would be interactive for customers to choose values). So a more template like approach where parent-type of tech can be made concrete inside a model is what you're thinking about, I assume. Sounds good...
    antisocialengineering
    @0xbadc0_de_twitter
    I see a lot of common issues, especially assessing operational stuff- if it's a Dell server, 99 times out of 100, it's got iDRAC on a user network, and iDRAC hasn't ever been updated... I could make a library of server types with those sort of issues (thinking of threagile in an assessment rather than a dev role here) that I could offer up for you to use, but you'd probably not want to use HP's version...
    Exactly- then a drop-down UI to chose things becomes junior developer-friendly
    Christian Schneider
    @cschneider4711
    UI: yeah... indeed... That's what the REST API is about (tip: the REST API already covers way more than in the Swagger-doc listed, but this part is not fully finished yet). Here a Web-based SPA could be built to do things like "add tech asset" or "individualize tech asset" against the REST API... soon more to come...
    Feel free to provide whatever starting ground of tech types to put into this... Input of any sort is always welcomed and much appreciated... I'll set something up on the GitHub project site to collect this tech types etc...
    antisocialengineering
    @0xbadc0_de_twitter
    Awesome! I've just started looking at Threagile, Threat Dragon, the MS thing and a couple of others yesterday after ignoring such tools for a few years. I'm drawn to your architecture, and I think the TD GUI will impact my discussions with our dev folks next week, but your structure shows more strategic promise than the other tools in terms of actual use- but everyone starts with "tell me what you have," which is a higher bar than "show me which of these things you use" for beginners.
    Sorry, three or four things spinning in my thoughts here, hope it's not too jumbled.
    Christian Schneider
    @cschneider4711
    ;)... perfect as can be... ;)... good brainstorming is very important to drive good projects, so thx for any input...
    antisocialengineering
    @0xbadc0_de_twitter
    I just have multiple uses cases and audiences in mind: High Level Architecture, Developers and Operations && design patterns for new things, assessments of already in-place systems and choice guidance && getting folks actually using tools as quickly and easily as possible. If I could give our devs models of our products and deployments, then have them model new features, it'd make my life easier.
    Christian Schneider
    @cschneider4711
    For Dev folks: Having something detailed to use/start with (YAML with detailed info about the model) is, from what I've seen, more appreciated than starting with abstractions (like on a whiteboard) because these abstractions are not that often updated when some parts change/evolve within the next sprints. These whiteboard sessions are sill important though to identify risks that no tool could identify (therefore the "add custom risk" feature in Threagile), but having some detailed YAML model file checked along with the project and evolving along might be easier to keep updated on a constant basis... The only challenge is to create a model of an existing architecture: that's something that needs to be done initially at some time (eventually starting with only important components helps here). Keeeping this updated then is where things really pay off...
    Yeah, that's where model templates might come in quite handy (will think also more about what features to implement there in terms of model templates)... And for design patterns in existing models, the model-macro feature might come in quite handy, as it's interactive wizard based (questions and answer) to modify/enhance models by/with certain design patterns...
    antisocialengineering
    @0xbadc0_de_twitter
    Yes, I think that's what resonated over ThreatDragon for me in terms of developer usage, but to get there initially is easier with some base models. The abstract higher view is more about gaming design specifics and presenting alternatives because of strategy differences, like say a global CA vs a customer-specific CA.
    Christian Schneider
    @cschneider4711

    yep... 👍

    So as model-macros are already there, this might be already used for this...

    Now next brainstorm thing would be: What makes up a good feature set around the topic of "model templates"....

    ... eventually also having a way to share some generic model templates in the community...
    antisocialengineering
    @0xbadc0_de_twitter
    Masking would be my first out of the box thought- so source tracking/validation maybe? The generic template within the docker should be overridden or overloaded by a company repository which should be overridden by a local one, with the ability to reverse that order to be sure a compromised repo produces different results?
    Christian Schneider
    @cschneider4711
    ah ok, so for the REST based users then a way to individualize the example catalog?
    antisocialengineering
    @0xbadc0_de_twitter
    or to clone and modify it
    alternately a way to override an entry
    Christian Schneider
    @cschneider4711
    yeah good one, generally being able to individualize/customize the web UI would be a good idea...
    antisocialengineering
    @0xbadc0_de_twitter
    That'd also allow languages
    index 0, generic, index 1 local custom, index 3 Klingon version...
    Christian Schneider
    @cschneider4711
    I think of using golang templates along with some nice I18N feature for this, should be quick to implement...
    😆
    antisocialengineering
    @0xbadc0_de_twitter
    Never done golang, too many languages over too much time to keep adding new ones!
    Christian Schneider
    @cschneider4711
    But indeed having the ability to have some organization branded or even agile team branded web UI would be helping adoption by some teams eventually... nice idea... personally I'm more using Threagile via the CLI, so didn't think so much about the web-ui version, but indeed from a first user's perspective, that's a very good idea...
    ... was just "thinking out loud" about how to implement this branding feature... will do over the weekend ;)...
    antisocialengineering
    @0xbadc0_de_twitter
    Same thing with nested assets, show me a level, or all the levels
    Christian Schneider
    @cschneider4711
    ok, so in terms of zooming in / drilling down?
    antisocialengineering
    @0xbadc0_de_twitter
    Yeah, like I said, I think the CLI is awesome for most devs, but I worry that means only the experienced ones will use it
    Yes, I think that also helps for decision modeling eventually
    Christian Schneider
    @cschneider4711
    ... eventually by adding an optional "layer" value to each asset... and then having runs of a certain layer.... eventually problematic would be to have a constant data flow when some intermediate asset is on a deeper (more detailed) level... so first idea would be to let this layering affect the rendering of the DFD diagrams for didfferent abstraction layers)...
    antisocialengineering
    @0xbadc0_de_twitter
    Server->Hardware->TPM. Linux->distro->Arch
    Yeah, and not all objects would have all layers
    but they'd all have one and "all"
    Christian Schneider
    @cschneider4711
    ... nice thoughts... I'll also set up a brainstorming part for this on Threagile's GitHub project to collect and brainstorm more about this... nice input...