Analyze draw.io data flow diagrams for STRIDE threat classes
Project description
materialize threats.
' . .
o ' o . ' . O
' . ' . _____ ' . .
. . .mMMMMMMMm. ' o ' .
' . .MMXXXXXXXXXMM. . '
. . /XX77:::::::77XX\ . . .
o . ;X7:::''''''':::7X; . '
' . |::'.:' '::| . . .
. ;:.:. :;. o .
' . \'.: /. ' .
. `.':. .'. ' .
' . ' .`-._____.-' . . ' .
' o ' . O . ' o '
. ' . ' . ' ' O . ' ' '
. . ' ' . ' . ' '
. .'..' . ' ' . . '. . '
`.':.' ':'.'.'
`\\_ | _//'
\( |\ )/
//\ |_\ /\\
(/ /\(" )/\ \)
\/\ ( ) /\/
|( )|
| \( \
| ) \
| \
| \
|wizardsh`.__,_
\_________.-'
It's magic.
:confetti_ball: Who is this for?
Developers and security practitioners who want to perform 'graph' analysis on data flow diagrams - using SQL.
materialize-threats
ingests draw.io data flow diagrams into a database, represents them like a property graph, then uses SQL to answer questions about them.
Today, we can answer questions like:
- What STRIDE based threat classes :warning: impact which elements and flows in my diagram?
- What mitigations :lock: & test cases :white_check_mark: should be considered for this diagram?
These are just a few ideas.
:moneybag: What's in the box?
- materialize_threats python module
- Parse draw.io data flow diagrams into graph representation (nodes, edges) stored in a RDBMS (sqlite in this demo)
- SQL (ORM) implementation of Rapid Threat Model Prototyping methodology used to generate threat classes
- (Optional) Minimal Draw.io shape library (dfd-materialize.xml)
- Tag trust zones more easily
- Gherkin + STRIDE test plan/feature file generator
:wrench: How do I use it?
Demo
1. Creating the diagram
- Use draw.io with the built-in threat modeling shape set, or use ours
- Create a data flow diagram using some guidelines
- Use processes between entities to describe flows
- Example: [Entity: Browser] --> (Process: Login) ----> [Entity: API]
- Identify trust zones using the green 'security control label' following the Rapid Threat Model Prototyping methodology process
- untrusted sources (entities) are 0
- sinks (data store) are <=9
- +1 or -1 in between
- Processes inherit trust zones from the upstream entity
- Use processes between entities to describe flows
- Save it as a .drawio file in a convenient location
Example
2. Enumerating threats
git clone git@github.com:secmerc/materialize_threats.git
cd materialize_threats
pip install .
materialize-threats --diagram=/path/to/diagram.drawio
3. Creating the feature file
Materialize threats will create a Gherkin feature file with boilerplate scenarios and mitigations, along with remediation tips. By default, it uses the diagram filename.
:mag_right: Sample data
materialize-threats
More samples can be found in the /samples directory
materialize-threats --diagram=samples/bookface.drawio
:warning: Is this production ready?
Not yet.
- There are no tests written, but im pretty sure it works.
- Lots of other python stuff that might horrify you but wont impact functionality that I know of.
:computer: Development
git clone git@github.com:secmerc/materialize_threats.git
cd materialize_threats
python3 -m venv ./venv
source ./venv/bin/activate
pip install -e .
pytest
:link: Links
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
materialize-threats-1.0.0.tar.gz
(22.5 kB
view hashes)
Built Distribution
Close
Hashes for materialize-threats-1.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3f6a5e9e9136e13da48de5d24057fdd0e75efae56c661dbe338834b6db9e518e |
|
MD5 | be3b4361f57116e65ccf0843f42f48fa |
|
BLAKE2b-256 | ba54b5d36886e5015bc1cea49ae01bfac62a2db38f01aea8ee838ea3e08fcfa0 |
Close
Hashes for materialize_threats-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5b275b57657a7997ffe04f0f56edffa1b4ebeb9eb141b8bcf9fbb771e3d47be2 |
|
MD5 | 293ab0b5e3637114280034fc9ef220ae |
|
BLAKE2b-256 | 25a789ebeb6dc27fd9639d135a8b6982f12458387e62d69401c835c6c2553783 |