Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Christian Schneider
    @cschneider4711
    But indeed having the ability to have some organization branded or even agile team branded web UI would be helping adoption by some teams eventually... nice idea... personally I'm more using Threagile via the CLI, so didn't think so much about the web-ui version, but indeed from a first user's perspective, that's a very good idea...
    ... was just "thinking out loud" about how to implement this branding feature... will do over the weekend ;)...
    antisocialengineering
    @0xbadc0_de_twitter
    Same thing with nested assets, show me a level, or all the levels
    Christian Schneider
    @cschneider4711
    ok, so in terms of zooming in / drilling down?
    antisocialengineering
    @0xbadc0_de_twitter
    Yeah, like I said, I think the CLI is awesome for most devs, but I worry that means only the experienced ones will use it
    Yes, I think that also helps for decision modeling eventually
    Christian Schneider
    @cschneider4711
    ... eventually by adding an optional "layer" value to each asset... and then having runs of a certain layer.... eventually problematic would be to have a constant data flow when some intermediate asset is on a deeper (more detailed) level... so first idea would be to let this layering affect the rendering of the DFD diagrams for didfferent abstraction layers)...
    antisocialengineering
    @0xbadc0_de_twitter
    Server->Hardware->TPM. Linux->distro->Arch
    Yeah, and not all objects would have all layers
    but they'd all have one and "all"
    Christian Schneider
    @cschneider4711
    ... nice thoughts... I'll also set up a brainstorming part for this on Threagile's GitHub project to collect and brainstorm more about this... nice input...
    antisocialengineering
    @0xbadc0_de_twitter
    Maybe show me layer N, or show me down to layer 3 or show me all?
    Thanks for spending the time! Hope we can chat more soon!
    Christian Schneider
    @cschneider4711
    Yeah, thank you! Feedback from the community is much appreciated and this should drive this project to next levels... For this all I'm going to setup some brainstorming collecting things on Threagile's GitHub repo... either a project cards or simple RFE issues (threads)... not sure yet... tending more towards the project cards to collect input...
    phenggeler
    @phenggeler
    Hey all, I just stumbled across Theagile and I would like to try it out. Any useful pointers on a good approach? I have historically done threat modeling with the Microsoft tool using STRIDE approach only
    hiThere824248
    @hiThere824248
    Hi all, I am pretty new to the threat modelling topic. Currently I have a model in xml file, I tried to find online tools to convert it to yaml format and input it into threagile playgroud, but the analysis could not proceed. The error I have is {"error":"unknown 'business_criticality' value of application:"}, does anyone know how do I solve this?
    Christian Schneider
    @cschneider4711
    Hi, what kind of XML model is it? From another tool or did you build that directly? Best is to start with either the example model (for seeing how it works generally) or later from the stub model to have a minimal filled version to use. Both example and stub model are linked on the playground...
    Heribert Hirth
    @heri333
    Hi, I was wondering whether there is an online documentation/specification of all the enums used e.g. for describing data assets and technical assets? Not just the list of the enum names, but the definition of each name.
    Christian Schneider
    @cschneider4711
    Yep nice idea... Actually it is a bit open to the context of the modeled application/system and regarding risk identification it has an impact, as the risk rules utilize it to filter for relevant technical components and protocols (in communication links). I'll add an issue in the GitHub repo to create such a documentation.
    4 replies
    deomca04
    @deomca04
    Hi, I wanted to understand the logic behind RAA (Relative Attacker Attractiveness) calculation. The 2 technical assets which I put in the YAML file, for the first one RAA is 100% whereas for the other it's 1% and I don't understand the rationale behind that. Also, is there any way to cut short the size of the report? Even for the stub model, tool generates 65 page report and it's difficult to go through all the 65 pages.
    Philipp
    @phisch1991

    Hi @cschneider4711, first of all, I really like your idea and the Threagile tool (especially the "as-code" approach). I tested it in an enterprise context and I want to encourage my team mates to to threat modeling like writing docs/tests etc, so regarding it as part of our daily job. I have some feedback I would like to share/discuss:

    • Although there are some optional attributes, there are still many required attributes before you can model the system. To reduce initial costs, it would be very helpful to start even leaner (e. g. by only enumerating the systems to model without any other information and then step-by-step increase the level of details)
    • It would be great to have the option to "modularize" the model. We tried to make use of YAML anchors (which is quite nice for templates) but we still have the need to model smaller pieces of the system and compose them afterwards for an overall view.
    • We decided to create two models and distinguished between a devops and a business model. If we would have done it in one model, the result (especially the diagrams) would have been to complex. Maybe it is an option to render diagrams for several layers. Layers could be "devops vs business", but also "high level vs technical details".

    What do you think and do you already have any plans for one of the points?

    5 replies
    Andreas Falk
    @andifalk
    Hi @cschneider4711, I started using Threagile some days ago and I pretty much like the "threat model as code" approach, great work.
    In my current project I need to threat model processes in an industrial environment. In this environment mainly Fieldbus protocols like Ethernet/IP, Profinet, etc. are used. These protocols are all based just on TCP/UDP layer. I did not really find a match in the list of available protocols of communication links, which protocol would be the correct one to be used for OSI layer 4 protocols like TCP or UDP?
    Christian Schneider
    @cschneider4711

    Hi @andifalk , cool, thx for the feedback... I've been a bit busy the last two weeks with lots of trainings, but glad to see things keep going here ;)...

    In your case I'd use "BINARY" or "BINARY_encrypted".

    Also I'm thinking about a way to open these enum values for user-based custom extensions. Not quite decided about how to avoid too many different entries then, and how (then custom-rules) might pick these values up, but I've got some nice ideas about built-in enum values and custom enum-values to use. Any wishes about that? Also in the meanwhile we can extend the built-in types with any types that are usable on a general scale.

    Scot Bellamy
    @scot.bellamy:matrix.org
    [m]
    Been trying out Threagile for a couple of weeks now. Looks really promising and we are going to try it out with some of our teams. As I was trying different models and settings in the yaml, I noticed that the protocol types of reverse-proxy-web-protocol and reverse-proxy-web-protocol-encrypted do not work. I get an error of "unknown 'protocol'". Investigating a bit, I see both are defined in types.go, but the check for types in main.go doesn't include them. I'm not sure what I would use them for or if there are any rules around them, but wanted to check and see before I just ignore them. Guessing they were removed and inadvertently left in types.go and in the schema.json?
    2 replies
    Scot Bellamy
    @scot.bellamy:matrix.org
    [m]
    Also, I was wondering if there is any documentation around the diagram_tweak settings. I'm sure they are useful to help with the diagram layout but I'm not quite sure how to use them.
    atlasDE
    @atlasDE
    Hi @cschneider4711 , I very much like the concept of Threagile and started using it for a project. There is currently one thing, I'm not quite sure how to handle: When adding the communication links to a technical asset, there are a few values for "authentication" but nothing, that fits my situation, as the auth of this particular interface is handled with only an API key. As far as I'm aware there is no possibility to add custom values - should I add such missing values as a feature request? Vielen Dank :)
    Jens Carl
    @j-carl_gitlab
    Hello, how do I add line breaks to the section "description" of the "techenical_overview"? Want to format the text a little bit with a paragraph to make it easier to read. Thx
    2 replies
    Giuseppe Tiberi
    @giuseppeTiberi

    Hello everybody, I'm working on YAML stub model for a very small architecture Threat Modeling analysis. When I analyze the YAML file with Threagile I got this error: {"error":"Risk tracking references unknown risk (risk id not found) - you might want to use the option -ignore-orphaned-risk-tracking: unencrypted-asset@some-component\n\nNOTE: For risk tracking each risk-id needs to be defined (the string with the @ sign in it).

    These unique risk IDs are visible in the PDF report (the small grey string under each risk), the Excel (column \"ID\"), as well as the JSON responses. Some risk IDs have only one @ sign in them, while others multiple. The idea is to allow for unique but still speaking IDs.

    Therefore each risk instance creates its individual ID by taking all affected elements causing the risk to be within an @-delimited part. Using wildcards (the * sign) for parts delimited by @ signs allows to handle groups of certain risks at once.

    Best is to lookup the IDs to use in the created Excel file. Alternatively a model macro \"seed-risk-tracking\" is available that helps in initially seeding the risk tracking part here based on already identified and not yet handled risks."}

    We're in the "individual_risk_categories" parent block -> A Risk Example: -> and it seems that I put a wrong value in the parameter "id" of the Risk Example.
    Giuseppe Tiberi
    @giuseppeTiberi
    The risk rule is related with an Apache Web Server technical asset, so I used
    id : cross-site-scripting
    because cross-site-scripting is a default risk rule for Apache Web Server. I don't understand which kind of value type I have to use in the Risk rule "id" value.
    Any help would be much appreciated. Many thanks!
    Christian Schneider
    @cschneider4711

    The error messages comes from the fact that in risk tracking in your YAML file an unknown risk is tracked, which could either be due to a typo in risk-id or just an orphaned risk, as when the risk is no longer (due to changes in model) present (or differently present). Each risk-id (the one in Excel "ID" column or the lengthy gray (small font) ID in the PDF, or also in JSON) identifies a unique risk (wildcard "*" can be used to group risk-ids as in the example)...

    So the key point is to either ensure that a matching risk-id is used, or otherwise (if you want to tolerate orphaned risks and ignore them) to use the command-line flag mentioned inside the error message.

    Giuseppe Tiberi
    @giuseppeTiberi
    Thanks a million for your quick reply @cschneider4711 ! I'll test your suggestion.
    Giuseppe Tiberi
    @giuseppeTiberi
    Just as a suggestion, if someone has problems with the "individual_risk_categories" object of the YAML file, you can comment it and the analysis runs with the default risk rules.
    Tony Bone
    @tonybone:matrix.org
    [m]
    I'm modeling an external IdP and the Missing Identity Store risk is added because I just created a single asset representing the third party service that provides both the IdP interface and identity store. Is the intended way to resolve this marking the risk as a false positive or hanging an identity store off the identity provider?
    threagileisneat
    @threagileisneat:matrix.org
    [m]
    Hi, I wanted to understand threagile better, but I am not finding much documentation. The threagile website has good youtube videos explaining the high-level, but I wanted to know if there was some docs to look up specific reference material. Is there any detailed documentation available? For example what are the various fields mean in context with what vulnerabilities are created. For instance for the confidentiality field when would I put confidential vs strictly-confidential some examples might help. Maybe a SSN is strictly-confidential for Y reason and a telaphone number is confidential for X reason. Another would be for the flow diagrams what shapes (cylinders are databases, ...) and colors (red outlines mean confidential data and above) correspond to what information?
    1 reply
    Tony Bone
    @tonybone:matrix.org
    [m]
    A legend for the data flow diagram would be awesome, especially if it was embedded into the image or the report at the very least
    4 replies
    threagileisneat
    @threagileisneat:matrix.org
    [m]
    Can you please let me know what you intended?
    threagileisneat
    @threagileisneat:matrix.org
    [m]

    I am trying to write a custom rule just see if I can, but the rule does not seem to trigger. Any suggestions? I am new to go, so not sure if I am just missing something basic.

    • I tried to import the file into report/report.go as I saw all of the other rules are imported there.
      • With package main it fails as it is a program and is not importable
      • If I change the package name then this command in the docker file fails COPY --from=build /app/demo-rule.so /app/demo-rule.so. I assume there is reason for this instead of importing.

    I am not understanding the intended way of adding custom rules. I actually just want to update some of the mitigation text while keeping the built-in rules unchanged. My plan was to create a custom rule that referenced a built in rule and then just auto resolve anything called out of the built-in command. If there is a less convoluted way let me know.

    YassineAmraoui
    @YassineAmraoui

    Hi, I would like to know if it is possible to modify the schema.json file in order to add additional assets, when I push the modified threagile.yaml file I get this error : unknown 'technology' value of technical asset

    Kind regards

    ggi-cetic
    @ggi-cetic
    Hello,
    I'm not using Threagile for a long time and I'm encountering a problem with the pdf generation. The other files are fine but the pdf fail with : "runtime error : index out of range [44] with length 44". I'm using Threagile with a really simple model, in github action. It works with other models but I can't find the error in mine. Any idea? Or is it something known?
    ggi-cetic
    @ggi-cetic
    OK. So it seems that my model was too simple and adding data_assets made it work...
    damianmcgrath
    @damianmcgrath
    I really like the Threat Modelling as Code approach of threagile so thank you Christian for all this great work! I'm using it features to build out some Threat Models for one of our systems. One thing I've noticed is that -list-risk-rules doesn't seem to work for me when used in conjunction with the -custom-risk-rules-plugins argument. For example: "threagile.sh -list-risk-rules -custom-risk-rules-plugins ./demo-rule.so". I've tried this out with Version: 1.0.0 (20201115181601) and with my own fresh fork, same thing. Something I'm doing wrong or do you want me to raise an issue on GitHub?
    1 reply
    Correction: the above should read "threagile.sh -list-risk-rules -custom-risk-rules-plugins /app/demo-rule.so"
    damianmcgrath
    @damianmcgrath
    Also, I'm more generally having problems using any plugin that is built independently of the threagile source because of what looks like this issue: golang/go#31354. It seems difficult to build a plugin for threagile without also building/forking the source code? If someone has a good pattern for doing this please let me know. It feels like this might be one reason that the likes of Hashicorp use TCP connections for their Vault plugins? (Vault is built with golang) https://www.vaultproject.io/docs/internals/plugins
    1 reply
    Anh Pham
    @anh.pham5_gitlab
    Hello, I've just started using Threagile and really like it. However, I was wondering if it's possible to change some of the default enums. For example, under Quantity for Data Asset, instead of using veryfew, few, many, and verymany, is it possible to use a different scale? If I manually change these enums, will it have an impact on the risk identification and severity calculation?