Integrate threat engine with Cornucopia / EoP cards

[jgadsden]

TD suggests STRIDE when adding threats to the data flow diagram, and one idea is that when one of STRIDE categories is suggested by TD, then the default description could have a link to the specific EoP suit (so for example if it is Repudiation then we could link to the EoP Repudiation suit).

This would need the EoP to be split out into the individual suits (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege), subject of https://github.com/adamshostack/eop/issues/3

[jgadsden]

@adamshostack advised that the threat information is accessible in https://github.com/adamshostack/eop/blob/master/cards.yaml - which can be accessed by TD to display what sort of threats could be present and the possible mitigations.

Given that there are

• Spoofing x 13
• Tampering x 12
• Repudiation x 13
• Information Disclosure x 13
• Denial of Service x 13
• Elevation of Privilege x 9

(73) cards then there has to be context applied to the selection displayed

[github-actions[bot]]

This issue is stale because it has been open for 6 months with no activity.

[sydseter]

Hi, at OWSP Cornucopia we are working at linking cornucopia and eop cards to OpenCRE . We therefor have individual enspoints at copi.owasp.org that leads to each card. Perhaps we could work together on this? Would that be a good idee?

We are planning on adding more contextual information to each endpoints with an explanation and we can ofcourse map to the stride categories.

[jgadsden]

yes, this certainly is a good step forward. Could you provide an example of the API in action @sydseter ?

This would be a good feature to justify a 2.3 release of Threat Dragon

[sydseter]

Ceartinly. Keep in mind that we want to make some changes on the endpoint to better support multiple decks and editions and still have to add the additional context for each card. We have the text ready, but this is what we have now:

https://copi.securedelivery.io/cards/1.0/SP2 https://copi.securedelivery.io/cards/1.0/TA3 https://copi.securedelivery.io/cards/1.0/RE2 https://copi.securedelivery.io/cards/1.0/DS2 https://copi.securedelivery.io/cards/1.0/EP2 https://copi.securedelivery.io/cards/1.0/EP5

We are working on the routing so that the address will be:

https://copi.owasp.org/cards/1.0/{card code}

The available card codes can be found at:

https://github.com/OWASP/cornucopia/tree/master/source

We are also working on adding the latest eop cards that was missing from the original deck and

copi.securedelivery.org is an application that is donated to the OWASP Foundation, it will be moved to the foundation owned servers.

[sydseter]

Full yaml source can be found at https://github.com/OWASP/cornucopia/tree/master/source

We also have endpoints to the OWASP Cornucopia Website App and Mobile App editions.

OWASP Cornucopia Website App Edition:

https://copi.securedelivery.io/cards/2.00/DV2 https://copi.securedelivery.io/cards/2.00/AC2 https://copi.securedelivery.io/cards/2.00/SM2 https://copi.securedelivery.io/cards/2.00/AZ2 https://copi.securedelivery.io/cards/2.00/CR2 https://copi.securedelivery.io/cards/2.00/CO2

OWASP Cornucopia Mobile App Edition:

https://copi.securedelivery.io/cards/1.00/CO2 https://copi.securedelivery.io/cards/1.00/PC2 https://copi.securedelivery.io/cards/1.00/AA2 https://copi.securedelivery.io/cards/1.00/NS2 https://copi.securedelivery.io/cards/1.00/RS2 https://copi.securedelivery.io/cards/1.00/CRM2 https://copi.securedelivery.io/cards/1.00/COM2

[sydseter]

The cards will be added to OpenCRE as soon as we have fixed the routing.

[sydseter]

We in OWASP Cornucopia are launching a new website which will have a slightly better card browser with links and references to ASVS, MASVS, information and taxonomy for each card and so on, but it will take some time to get it done. It will most likely be deployed in the end of august, but it will be the best option for connecting the two projects.

[jgadsden]

Thanks @sydseter , and I will try and work out the best way to link to the Web App and Mobile App cards from the threat dialog It will take a bit of thought, the dialog is just plain text and it will have to combine with the threat attributes to link to 2 or 3 relevant cards

[sydseter]

Thank you, personally I never use more then one card per threat, the reason I am doing that is because each card is formulated with a threat actor and an attack vector and mitigation steps. It therefor almost alway make sense with 1-to-1 relationships, it is possible to aggregate them into one specific threat as well, but it usually make the model harder to understand and each threat quite bloated.

[jgadsden]

There may be some time before the card URLs are determined, so bumping this issue back to version 2.4