Analyze draw.io data flow diagrams for STRIDE threat classes

These details have not been verified by PyPI

Project links

Homepage

Project description

Upload Python Package

materialize threats.
                              '             .           .
                           o       '   o  .     '   . O
                        '   .   ' .   _____  '    .      .
                         .     .   .mMMMMMMMm.  '  o  '   .
                       '   .     .MMXXXXXXXXXMM.    .   ' 
                      .       . /XX77:::::::77XX\ .   .   .
                         o  .  ;X7:::''''''':::7X;   .  '
                        '    . |::'.:'        '::| .   .  .
                           .   ;:.:.            :;. o   .
                        '     . \'.:            /.    '   .
                           .     `.':.        .'.  '    .
                         '   . '  .`-._____.-'   .  . '  .
                          ' o   '  .   O   .   '  o    '
                           . ' .  ' . '  ' O   . '  '   '
                            . .   '    '  .  '   . '  '
                             . .'..' . ' ' . . '.  . '
                              `.':.'        ':'.'.'
                                `\\_  |     _//'
                                  \(  |\    )/
                                  //\ |_\  /\\
                                 (/ /\(" )/\ \)
                                  \/\ (  ) /\/
                                     |(  )|
                                     | \( \
                                     |  )  \
                                     |      \
                                     |       \
                                     |wizardsh`.__,_
                                     \_________.-'
It's magic.

:confetti_ball: Who is this for?

Developers and security practitioners who want to perform 'graph' analysis on data flow diagrams - using SQL.

materialize-threats ingests draw.io data flow diagrams into a database, represents them like a property graph, then uses SQL to answer questions about them.

Today, we can answer questions like:

What STRIDE based threat classes :warning: impact which elements and flows in my diagram?
What mitigations :lock: & test cases :white_check_mark: should be considered for this diagram?

These are just a few ideas.

:moneybag: What's in the box?

materialize_threats python module
- Parse draw.io data flow diagrams into graph representation (nodes, edges) stored in a RDBMS (sqlite in this demo)
- SQL (ORM) implementation of Rapid Threat Model Prototyping methodology used to generate threat classes
(Optional) Minimal Draw.io shape library (dfd-materialize.xml)
- Tag trust zones more easily
Gherkin + STRIDE test plan/feature file generator

:wrench: How do I use it?

Demo

1. Creating the diagram

Use draw.io with the built-in threat modeling shape set, or use ours
Create a data flow diagram using some guidelines
- Use processes between entities to describe flows
  - Example: [Entity: Browser] --> (Process: Login) ----> [Entity: API]
- Identify trust zones using the green 'security control label' following the Rapid Threat Model Prototyping methodology process
  - untrusted sources (entities) are 0
  - sinks (data store) are <=9
  - +1 or -1 in between
- Processes inherit trust zones from the upstream entity
Save it as a .drawio file in a convenient location

Example

2. Enumerating threats

pip install materialize-threats
materialize-threats --diagram=/path/to/diagram.drawio

3. Creating the feature file

Materialize threats will create a Gherkin feature file with boilerplate scenarios and mitigations, along with remediation tips. By default, it uses the diagram filename.

:mag_right: Sample data

materialize-threats

More samples can be found in the /samples directory

materialize-threats --diagram=samples/bookface.drawio

:warning: Is this production ready?

Not yet.

There are no tests written, but im pretty sure it works.
Lots of other python stuff that might horrify you but wont impact functionality that I know of.

:computer: Development

git clone git@github.com:secmerc/materialize_threats.git
cd materialize_threats
python3 -m venv ./venv
source ./venv/bin/activate
pip install -e .
pytest

Publishing

python3 -m pip install --user --upgrade setuptools wheel twine

python3 setup.py sdist bdist_wheel
python3 -m twine upload dist/*

:link: Links

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

1.0.5

Feb 26, 2021

1.0.4

Aug 25, 2020

This version

1.0.2

Aug 24, 2020

1.0.0

Aug 10, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

materialize-threats-1.0.2.tar.gz (22.7 kB view details)

Uploaded Aug 24, 2020 Source

Built Distribution

materialize_threats-1.0.2-py3-none-any.whl (33.5 kB view details)

Uploaded Aug 24, 2020 Python 3

File details

Details for the file materialize-threats-1.0.2.tar.gz.

File metadata

Download URL: materialize-threats-1.0.2.tar.gz
Upload date: Aug 24, 2020
Size: 22.7 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.48.2 CPython/3.7.2

File hashes

Hashes for materialize-threats-1.0.2.tar.gz
Algorithm	Hash digest
SHA256	`75e8b19d3f60be34034c21bf000b18851efdd149535e4d581b9aebf1f1f644f1`
MD5	`48de45774c6cbfc233980f6dc695e9c2`
BLAKE2b-256	`6dbc1c7c92957fe9221b15688a545adf5c8f8760a0e59893c5ac2b619bfbd7de`

See more details on using hashes here.

File details

Details for the file materialize_threats-1.0.2-py3-none-any.whl.

File metadata

Download URL: materialize_threats-1.0.2-py3-none-any.whl
Upload date: Aug 24, 2020
Size: 33.5 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.48.2 CPython/3.7.2

File hashes

Hashes for materialize_threats-1.0.2-py3-none-any.whl
Algorithm	Hash digest
SHA256	`434881a915e940819fe8fc8664d1ff918a0c44a706ef35ef911fe45bd813424e`
MD5	`5cfe5d8f1001836c51053cf6a2dee0c2`
BLAKE2b-256	`422171fe442b4f74a13db9b76a96074c27e6c37af95a440256d08206ecd95b0c`