Skip to content

Commit

Permalink
add Automated Threats for Actor and Flow elements
Browse files Browse the repository at this point in the history
  • Loading branch information
Jon Gadsden committed Nov 1, 2021
1 parent 690b7d3 commit 774510f
Show file tree
Hide file tree
Showing 2 changed files with 120 additions and 63 deletions.
4 changes: 2 additions & 2 deletions td.desktop/core/diagrams/diagram.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ function diagram($scope, $document, $location, $routeParams, $timeout, dialogs,
vm.errored = false;
vm.title = 'ThreatModelDiagram';
vm.initialise = initialise,
/*jshint -W030 */
vm.dirty = false;
/*jshint -W030 */
vm.dirty = false;
vm.graph = diagramming.newGraph();
vm.newProcess = newProcess;
vm.newStore = newStore;
Expand Down
179 changes: 118 additions & 61 deletions td.desktop/core/services/threatengine.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ function threatengine() {
engine.addFact('diagramType', getModel(type));
engine.addFact('elementIsPublicNetwork', element.isPublicNetwork);
engine.addFact('elementIsEncrypted', element.isEncrypted);
engine.addFact('providesAuthentication', element.providesAuthentication);
}

function getModel(type) {
Expand Down Expand Up @@ -505,61 +506,132 @@ function threatengine() {
}

function initialiseRulesByContext(engine) {
/* STRIDE using context */
/* No context threat suggestion */
engine.addRule({
conditions: {
all: [
any: [
{
fact: 'diagramType',
operator: 'equal',
value: 'STRIDE'
},
all: [
{
fact: 'elementType',
operator: 'equal',
value: 'tm.Actor'
} , {
any: [
{
fact: 'providesAuthentication',
operator: 'equal',
value: false
}, {
fact: 'providesAuthentication',
operator: 'equal',
value: undefined
}
]
}
]
}, {
all: [
{
fact: 'elementType',
operator: 'equal',
value: 'tm.Flow'
} , {
any: [
{
fact: 'elementIsPublicNetwork',
operator: 'equal',
value: false
}, {
fact: 'elementIsPublicNetwork',
operator: 'equal',
value: undefined
}
]
}
]
}
]
},
event: {
type: 'c1cae982-3e92-4bb2-b50b-ea51deadbeef',
params: {
ruleId: 'c1cae982-3e92-4bb2-b50b-ea51deadbeef',
title: 'No context threat suggestion',
type: 'TBD',
modelType: 'TBD',
status: 'Open',
severity: 'TBD',
description: 'No context specific threat determined, add one manually if appropriate',
mitigation: 'Mitigation or prevention for the threat'
}
}
});

/* CAPTCHA defeat */
engine.addRule({
conditions: {
all: [
{
fact: 'elementType',
operator: 'equal',
value: 'tm.Flow'
value: 'tm.Actor'
} , {
fact: 'elementIsPublicNetwork',
fact: 'providesAuthentication',
operator: 'equal',
value: true
} , {
any: [
{
fact: 'elementIsEncrypted',
operator: 'equal',
value: false
}, {
fact: 'elementIsEncrypted',
operator: 'equal',
value: undefined
}
]
}
]
},
event: {
type: 'c1cae982-3e92-4bb2-b50b-ea51137fc3a7',
type: 'c1cae982-3e92-4bb2-b50b-ea51deadbeef',
params: {
ruleId: 'c1cae982-3e92-4bb2-b50b-ea51137fc3a7',
title: 'Use encryption',
type: 'Information disclosure',
modelType: 'STRIDE',
ruleId: 'c1cae982-3e92-4bb2-b50b-ea51deadbeef',
title: 'CAPTCHA defeat',
type: 'TBD',
modelType: 'TBD',
status: 'Open',
severity: 'High',
description: 'Unencrypted data sent over a public network may be intercepted and read by an attacker, and should be encrypted either at the message or transport level.'
severity: 'TBD',
description: '',
mitigation: ''
}
}
});

/* CIA using context */
/* Credential stuffing */
engine.addRule({
conditions: {
all: [
{
fact: 'diagramType',
fact: 'elementType',
operator: 'equal',
value: 'CIA'
},
value: 'tm.Actor'
} , {
fact: 'providesAuthentication',
operator: 'equal',
value: true
}
]
},
event: {
type: '38c51fb4-2370-4ac1-a24a-4ba1deadbeef',
params: {
ruleId: '38c51fb4-2370-4ac1-a24a-4ba1deadbeef',
title: 'Credential stuffing',
type: 'TBD',
modelType: 'TBD',
status: 'Open',
severity: 'TBD',
description: 'Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials',
mitigation: 'Defenses against Credential Stuffing are described in the Credential Stuffing Prevention Cheat Sheet, Multi-Factor Authentication being a primary counter-measure'
}
}
});

/* Use encryption over public networks */
engine.addRule({
conditions: {
all: [
{
fact: 'elementType',
operator: 'equal',
Expand All @@ -584,28 +656,24 @@ function threatengine() {
]
},
event: {
type: '38c51fb4-2370-4ac1-a24a-4ba171078ef1',
type: '021ab22d-8d51-4501-9bb8-6dabf9c27f0d',
params: {
ruleId: '38c51fb4-2370-4ac1-a24a-4ba171078ef1',
ruleId: '021ab22d-8d51-4501-9bb8-6dabf9c27f0d',
title: 'Use encryption',
type: 'Confidentiality',
modelType: 'CIA',
type: 'TBD',
modelType: 'TBD',
status: 'Open',
severity: 'High',
description: 'Unencrypted data sent over a public network may be intercepted and read by an attacker, and should be encrypted either at the message or transport level.'
description: 'Unencrypted data sent over a public network may be intercepted and read by an attacker',
mitigation: 'Data should be encrypted either at the message or transport level'
}
}
});

/* LINDDUN using context */
/* Fingerprinting */
engine.addRule({
conditions: {
all: [
{
fact: 'diagramType',
operator: 'equal',
value: 'LINDDUN'
},
{
fact: 'elementType',
operator: 'equal',
Expand All @@ -614,31 +682,20 @@ function threatengine() {
fact: 'elementIsPublicNetwork',
operator: 'equal',
value: true
} , {
any: [
{
fact: 'elementIsEncrypted',
operator: 'equal',
value: false
}, {
fact: 'elementIsEncrypted',
operator: 'equal',
value: undefined
}
]
}
]
},
event: {
type: '021ab22d-8d51-4501-9bb8-6dabf9c27f0d',
type: 'c1cae982-3e92-4bb2-b50b-ea51deadbeef',
params: {
ruleId: '021ab22d-8d51-4501-9bb8-6dabf9c27f0d',
title: 'Use encryption',
type: 'Disclosure of information',
modelType: 'LINDDUN',
ruleId: 'c1cae982-3e92-4bb2-b50b-ea51deadbeef',
title: 'Fingerprinting',
type: 'TBD',
modelType: 'TBD',
status: 'Open',
severity: 'High',
description: 'Unencrypted data sent over a public network may be intercepted and read by an attacker, and should be encrypted either at the message or transport level.'
severity: 'TBD',
description: 'Specific requests are sent to the application eliciting information in order to profile the application',
mitigation: ''
}
}
});
Expand Down

0 comments on commit 774510f

Please sign in to comment.