Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Christian Schneider
    @cschneider4711
    Nice ideas... so in terms of different (generic) types of tech assets there's already a bunch to choose from (like those selectable from "technology" enum for each tech asset). Is that what you mean? And having built-in risks for those is to have risk-rules firing when these types are used, so mostly already there... Or do you mean something more specific than the "technology" enum values?
    antisocialengineering
    @0xbadc0_de_twitter
    Nope, the technology enums are a great start, but I'm sort of trying to think about getting those expanded to sets, so people could offer up specific ones- I'm also struggling with differentiating between generic architectures, which could be easily shared as best practices or out to customers and specific operational or development details which might be more closely held, if that makes sense.
    Christian Schneider
    @cschneider4711
    ah ok, like a hierarchy of tech-types... nice idea, so that would make it easier to group things..
    ... in terms of having something like model templates to choose from: eventually the model-macro feature might help, but that needs code (but then would be interactive for customers to choose values). So a more template like approach where parent-type of tech can be made concrete inside a model is what you're thinking about, I assume. Sounds good...
    antisocialengineering
    @0xbadc0_de_twitter
    I see a lot of common issues, especially assessing operational stuff- if it's a Dell server, 99 times out of 100, it's got iDRAC on a user network, and iDRAC hasn't ever been updated... I could make a library of server types with those sort of issues (thinking of threagile in an assessment rather than a dev role here) that I could offer up for you to use, but you'd probably not want to use HP's version...
    Exactly- then a drop-down UI to chose things becomes junior developer-friendly
    Christian Schneider
    @cschneider4711
    UI: yeah... indeed... That's what the REST API is about (tip: the REST API already covers way more than in the Swagger-doc listed, but this part is not fully finished yet). Here a Web-based SPA could be built to do things like "add tech asset" or "individualize tech asset" against the REST API... soon more to come...
    Feel free to provide whatever starting ground of tech types to put into this... Input of any sort is always welcomed and much appreciated... I'll set something up on the GitHub project site to collect this tech types etc...
    antisocialengineering
    @0xbadc0_de_twitter
    Awesome! I've just started looking at Threagile, Threat Dragon, the MS thing and a couple of others yesterday after ignoring such tools for a few years. I'm drawn to your architecture, and I think the TD GUI will impact my discussions with our dev folks next week, but your structure shows more strategic promise than the other tools in terms of actual use- but everyone starts with "tell me what you have," which is a higher bar than "show me which of these things you use" for beginners.
    Sorry, three or four things spinning in my thoughts here, hope it's not too jumbled.
    Christian Schneider
    @cschneider4711
    ;)... perfect as can be... ;)... good brainstorming is very important to drive good projects, so thx for any input...
    antisocialengineering
    @0xbadc0_de_twitter
    I just have multiple uses cases and audiences in mind: High Level Architecture, Developers and Operations && design patterns for new things, assessments of already in-place systems and choice guidance && getting folks actually using tools as quickly and easily as possible. If I could give our devs models of our products and deployments, then have them model new features, it'd make my life easier.
    Christian Schneider
    @cschneider4711
    For Dev folks: Having something detailed to use/start with (YAML with detailed info about the model) is, from what I've seen, more appreciated than starting with abstractions (like on a whiteboard) because these abstractions are not that often updated when some parts change/evolve within the next sprints. These whiteboard sessions are sill important though to identify risks that no tool could identify (therefore the "add custom risk" feature in Threagile), but having some detailed YAML model file checked along with the project and evolving along might be easier to keep updated on a constant basis... The only challenge is to create a model of an existing architecture: that's something that needs to be done initially at some time (eventually starting with only important components helps here). Keeeping this updated then is where things really pay off...
    Yeah, that's where model templates might come in quite handy (will think also more about what features to implement there in terms of model templates)... And for design patterns in existing models, the model-macro feature might come in quite handy, as it's interactive wizard based (questions and answer) to modify/enhance models by/with certain design patterns...
    antisocialengineering
    @0xbadc0_de_twitter
    Yes, I think that's what resonated over ThreatDragon for me in terms of developer usage, but to get there initially is easier with some base models. The abstract higher view is more about gaming design specifics and presenting alternatives because of strategy differences, like say a global CA vs a customer-specific CA.
    Christian Schneider
    @cschneider4711

    yep... 👍

    So as model-macros are already there, this might be already used for this...

    Now next brainstorm thing would be: What makes up a good feature set around the topic of "model templates"....

    ... eventually also having a way to share some generic model templates in the community...
    antisocialengineering
    @0xbadc0_de_twitter
    Masking would be my first out of the box thought- so source tracking/validation maybe? The generic template within the docker should be overridden or overloaded by a company repository which should be overridden by a local one, with the ability to reverse that order to be sure a compromised repo produces different results?
    Christian Schneider
    @cschneider4711
    ah ok, so for the REST based users then a way to individualize the example catalog?
    antisocialengineering
    @0xbadc0_de_twitter
    or to clone and modify it
    alternately a way to override an entry
    Christian Schneider
    @cschneider4711
    yeah good one, generally being able to individualize/customize the web UI would be a good idea...
    antisocialengineering
    @0xbadc0_de_twitter
    That'd also allow languages
    index 0, generic, index 1 local custom, index 3 Klingon version...
    Christian Schneider
    @cschneider4711
    I think of using golang templates along with some nice I18N feature for this, should be quick to implement...
    😆
    antisocialengineering
    @0xbadc0_de_twitter
    Never done golang, too many languages over too much time to keep adding new ones!
    Christian Schneider
    @cschneider4711
    But indeed having the ability to have some organization branded or even agile team branded web UI would be helping adoption by some teams eventually... nice idea... personally I'm more using Threagile via the CLI, so didn't think so much about the web-ui version, but indeed from a first user's perspective, that's a very good idea...
    ... was just "thinking out loud" about how to implement this branding feature... will do over the weekend ;)...
    antisocialengineering
    @0xbadc0_de_twitter
    Same thing with nested assets, show me a level, or all the levels
    Christian Schneider
    @cschneider4711
    ok, so in terms of zooming in / drilling down?
    antisocialengineering
    @0xbadc0_de_twitter
    Yeah, like I said, I think the CLI is awesome for most devs, but I worry that means only the experienced ones will use it
    Yes, I think that also helps for decision modeling eventually
    Christian Schneider
    @cschneider4711
    ... eventually by adding an optional "layer" value to each asset... and then having runs of a certain layer.... eventually problematic would be to have a constant data flow when some intermediate asset is on a deeper (more detailed) level... so first idea would be to let this layering affect the rendering of the DFD diagrams for didfferent abstraction layers)...
    antisocialengineering
    @0xbadc0_de_twitter
    Server->Hardware->TPM. Linux->distro->Arch
    Yeah, and not all objects would have all layers
    but they'd all have one and "all"
    Christian Schneider
    @cschneider4711
    ... nice thoughts... I'll also set up a brainstorming part for this on Threagile's GitHub project to collect and brainstorm more about this... nice input...
    antisocialengineering
    @0xbadc0_de_twitter
    Maybe show me layer N, or show me down to layer 3 or show me all?
    Thanks for spending the time! Hope we can chat more soon!
    Christian Schneider
    @cschneider4711
    Yeah, thank you! Feedback from the community is much appreciated and this should drive this project to next levels... For this all I'm going to setup some brainstorming collecting things on Threagile's GitHub repo... either a project cards or simple RFE issues (threads)... not sure yet... tending more towards the project cards to collect input...
    phenggeler
    @phenggeler
    Hey all, I just stumbled across Theagile and I would like to try it out. Any useful pointers on a good approach? I have historically done threat modeling with the Microsoft tool using STRIDE approach only
    hiThere824248
    @hiThere824248
    Hi all, I am pretty new to the threat modelling topic. Currently I have a model in xml file, I tried to find online tools to convert it to yaml format and input it into threagile playgroud, but the analysis could not proceed. The error I have is {"error":"unknown 'business_criticality' value of application:"}, does anyone know how do I solve this?
    Christian Schneider
    @cschneider4711
    Hi, what kind of XML model is it? From another tool or did you build that directly? Best is to start with either the example model (for seeing how it works generally) or later from the stub model to have a minimal filled version to use. Both example and stub model are linked on the playground...
    Heribert Hirth
    @heri333
    Hi, I was wondering whether there is an online documentation/specification of all the enums used e.g. for describing data assets and technical assets? Not just the list of the enum names, but the definition of each name.
    Christian Schneider
    @cschneider4711
    Yep nice idea... Actually it is a bit open to the context of the modeled application/system and regarding risk identification it has an impact, as the risk rules utilize it to filter for relevant technical components and protocols (in communication links). I'll add an issue in the GitHub repo to create such a documentation.
    4 replies
    deomca04
    @deomca04
    Hi, I wanted to understand the logic behind RAA (Relative Attacker Attractiveness) calculation. The 2 technical assets which I put in the YAML file, for the first one RAA is 100% whereas for the other it's 1% and I don't understand the rationale behind that. Also, is there any way to cut short the size of the report? Even for the stub model, tool generates 65 page report and it's difficult to go through all the 65 pages.
    Philipp
    @phisch1991

    Hi @cschneider4711, first of all, I really like your idea and the Threagile tool (especially the "as-code" approach). I tested it in an enterprise context and I want to encourage my team mates to to threat modeling like writing docs/tests etc, so regarding it as part of our daily job. I have some feedback I would like to share/discuss:

    • Although there are some optional attributes, there are still many required attributes before you can model the system. To reduce initial costs, it would be very helpful to start even leaner (e. g. by only enumerating the systems to model without any other information and then step-by-step increase the level of details)
    • It would be great to have the option to "modularize" the model. We tried to make use of YAML anchors (which is quite nice for templates) but we still have the need to model smaller pieces of the system and compose them afterwards for an overall view.
    • We decided to create two models and distinguished between a devops and a business model. If we would have done it in one model, the result (especially the diagrams) would have been to complex. Maybe it is an option to render diagrams for several layers. Layers could be "devops vs business", but also "high level vs technical details".

    What do you think and do you already have any plans for one of the points?

    5 replies
    Andreas Falk
    @andifalk
    Hi @cschneider4711, I started using Threagile some days ago and I pretty much like the "threat model as code" approach, great work.
    In my current project I need to threat model processes in an industrial environment. In this environment mainly Fieldbus protocols like Ethernet/IP, Profinet, etc. are used. These protocols are all based just on TCP/UDP layer. I did not really find a match in the list of available protocols of communication links, which protocol would be the correct one to be used for OSI layer 4 protocols like TCP or UDP?
    Christian Schneider
    @cschneider4711

    Hi @andifalk , cool, thx for the feedback... I've been a bit busy the last two weeks with lots of trainings, but glad to see things keep going here ;)...

    In your case I'd use "BINARY" or "BINARY_encrypted".

    Also I'm thinking about a way to open these enum values for user-based custom extensions. Not quite decided about how to avoid too many different entries then, and how (then custom-rules) might pick these values up, but I've got some nice ideas about built-in enum values and custom enum-values to use. Any wishes about that? Also in the meanwhile we can extend the built-in types with any types that are usable on a general scale.