Awesome
<br> Threat modeling-as-a-Code in a Tick (TicTaaC) Lightweight and easy-to-use Threat modeling solution following DevSecOps principles
Preface
"One day the customer asked to perform threat modeling for our product. Of course, we have heard about it a lot from different teams, I have even read several articles and looked through a book to get familiar with this process, but they were too abstract as for me and didn't give me a certainty at all. Then we have faced several enterprise - level products which theoretically would help us, but we didn't want to deploy the whole security program because of it, we just wanted to get the prioritized threats list for our product to put it in our security backlog. Nothing else"
<p align="right"><em>Anonymous Developer</em></p>Idea
The idea behind this product is clear - I want to create something simple that would help to solve this difficult problem. Ideally, with <em>one click</em> or <em>a command</em> and with a possibility to integrate it into a pipeline and do it <em>continuously</em> if needed. Inspired by <em>dependency-check</em> architecture and simplicity plus taking in mind that <em>developers just love mapping</em> everything in code, I've created <strong>"TicTaaC"</strong>, which means <em>"<strong>T</strong>hreat modeling-<strong>a</strong>s-<strong>a</strong>-<strong>C</strong>ode in a <strong>Tic</strong>k"</em>
Usage
All the tool is needed is a <strong>data flow code file</strong> described in the <em>yml-like format</em> specially designed for this.<br> <strong>The examples</strong> of these files with verbose comments describing every aspect may be found here. <br>
Command Line
More detailed instructions can be found on the github wiki. The latest CLI can be downloaded from github in the releases section. <br> <strong>On *nix:</strong>
$ ./bin/tic-taac.sh -h
$ ./bin/tic-taac.sh --out . --threatModel [path to threat model file(s) or folder to scan]
<strong>On Windows:</strong>
> .\bin\tic-taac.bat -h
> .\bin\tic-taac.bat --out . --threatModel [path to threat model file(s) or folder to scan]
Docker
See TicTaaC Docker Hub repository.
<strong>Quickstart on Windows:</strong>
> docker run --volume /D/threat-model:/threat-model --volume /D/report:/report rusakovichma/tic-taac:latest --threatModel /threat-model/ --out /report
<strong>*nix script:</strong>
#!/bin/sh
TT_VERSION="latest"
THREAT_MODEL_DIR=$HOME/threat-model
# Make sure we are using the latest version
docker pull rusakovichma/tic-taac:$TT_VERSION
docker run --rm \
-e user=$USER \
-u $(id -u ${USER}):$(id -g ${USER}) \
--volume $THREAT_MODEL_DIR:/threat-model:z \
--volume $(pwd)/report:/report:z \
rusakovichma/tic-taac:$TT_VERSION \
--threatModel /threat-model \
--outFormat html \
--out /report
# Set mitigation strategy for the corresponding threats
# see https://github.com/rusakovichma/TicTaaC/blob/master/expl/mitigations.yml
# --mitigations /threat-model/mitigations.yml
# or set the folder where scan the mitigations files: --mitigations /mitigations
Jenkins pipeline
For TicTaaC usage at Jenkins pipeline, see Jenkinsfile example.
Data Flows Examples
Generated report example
Features
- Automatic Data Flow generation in a report
- Ideal for Security Teams - it has flexible Threats Library logic customization in a separate file with special expression language support
- Suitable for CICD pipeline integration
- Setting Quality Gate that can block the product release in case if unmitigated threats are presented
- No required additional dependencies
- Special lightweight and easy-to-understand format for data flows description
- Automatic Threats Attack Vector & Risk Score calculation based on the data flow context
- Threats classification by OWASP Top 10 and Microsoft STRIDE
- Setting Threats mitigation strategy in one place
- Reporting in html or json format
License
Copyright (c) Mikhail Rusakovich
Licensed under the Apache License version 2.0