Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add categories to threats #83

Closed
wants to merge 1 commit into from

Conversation

nineinchnick
Copy link
Collaborator

@nineinchnick nineinchnick commented Mar 15, 2020

Add a categories field to threats so custom threat libraries can use any threat taxonomy.

Formatted the threats.json file using jq so it has consistent identation.

@nineinchnick nineinchnick requested a review from izar as a code owner March 15, 2020 15:37
@ghost
Copy link

ghost commented Mar 15, 2020

Congratulations 🎉. DeepCode analyzed your code in 2.696 seconds and we found no issues. Enjoy a moment of no bugs ☀️.

👉 View analysis in DeepCode’s Dashboard | Configure the bot

@adamshostack
Copy link

Categories implies exclusivity, and STRIDE is bad at that. Maybe "type of threat" or "tags"?

@nineinchnick
Copy link
Collaborator Author

nineinchnick commented Mar 15, 2020

TBH I choose categories because I was recently looking at https://github.com/microsoft/threat-modeling-templates/blob/master/default.tb7#L2520
I'm ok with types. Throwing in threats in there looks reduntant. Tags seem too generic and I'd remove STRIDE from threats.json. But I'm also ok with that as I'm using a custom threats db.

@izar has the final word so WDYT?

@izar
Copy link
Collaborator

izar commented Mar 15, 2020

I'd prefer we keep pytm methodology-agnostic, avoiding nomenclature that's closely related to one methodology or another.

@nineinchnick
Copy link
Collaborator Author

So how should I proceed? Remove changes to threats.json and somehow rename the new field?

@nineinchnick nineinchnick force-pushed the threat-categories branch 2 times, most recently from e547edd to feaaf69 Compare March 16, 2020 09:40
@nineinchnick nineinchnick changed the title add STRIDE categories to threats add categories to threats Mar 16, 2020
@nineinchnick
Copy link
Collaborator Author

I removed all default categories but left the field named like that.

@izar
Copy link
Collaborator

izar commented Mar 17, 2020

what values would go there? I don't know if i like adding fields just because.

@nineinchnick
Copy link
Collaborator Author

Yeah, it only made sense when actually adding some categories in the threat db. I'm looking at CAPEC right now and since it's actually a hierarchical db, not a flat one, there's no existing field there that we could use to group the threats somehow. BTW does the prefixes in IDs mean anything? If yes, maybe we could use those as categories?

When going through all threats I did get a feeling some are very generic and some very specific. Looks like they've been picked from different levels of CAPEC.

BTW2 "Likelihood Of Attack" is also unused :-P

If we can't find anything to put into categories I'm fine with closing this for now and getting back to it later when I'll have other contributions to the threat db itself.

@izar
Copy link
Collaborator

izar commented Mar 17, 2020 via email

@nineinchnick
Copy link
Collaborator Author

So if we can fill out the categories based on IDs, this would be more explicit and allow grouping threats by categories. Given the high number of threats and broad conditions this should help to manage findings.

Note, #86 is also to allow grouping but by element. This breaks up a potentially very long list of findings in the report.

@nineinchnick
Copy link
Collaborator Author

I'd like to use values from the Scope column in the table in Consequences section.

image

https://capec.mitre.org/data/definitions/98.html

@nineinchnick nineinchnick force-pushed the threat-categories branch 4 times, most recently from 5ccc384 to 2c99f29 Compare March 25, 2020 10:44
@nineinchnick nineinchnick force-pushed the threat-categories branch 2 times, most recently from 152fd62 to 753a3e9 Compare March 27, 2020 15:35
@nineinchnick
Copy link
Collaborator Author

I checked and both CAPEC and CWE defines this scope field. CAPEC describes it as:

The Scope identifies the security property that is violated,

CWE schema has this description:

The ScopeEnumeration simple type defines the different areas of security that can be affected by exploiting a weakness.

Possible values:

  • Confidentiality
  • Integrity
  • Availability
  • Access Control
  • Accountability
  • Authentication
  • Authorization
  • Non-Repudiation

Those look similar to properties associated with STRIDE items:

Threat Desired property
Spoofing Authenticity
Tampering Integrity
Repudiation Non-repudiability
Information disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization

So how about we name it properties? Now we can add a meaningful description to the field in the Threat class :-)

@izar
Copy link
Collaborator

izar commented Apr 10, 2020 via email

@nineinchnick
Copy link
Collaborator Author

Fundament is also pretty generic. How about affectedSecurityPropreties? The value in this is that some of those properties may be more important in a model, depending on the business domain, and it should help prioritize threats. Threats affecting certain properties might be always critical.

Making it a multi-valued field makes it easy to extend pytm to do some post processing and to either grouping threats or highlighting values in this field.

@izar
Copy link
Collaborator

izar commented Apr 26, 2020 via email

@izar
Copy link
Collaborator

izar commented Jun 15, 2020

So where are we with this one? Is it impactedSecurityProperties ?

@nineinchnick
Copy link
Collaborator Author

Renamed but I have not filled the values in threats.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants