Stored, sent and received data assets are always processed

Threagile / threagile

Agile Threat Modeling Toolkit

https://threagile.io

MIT License

577 stars 126 forks source link

Stored, sent and received data assets are always processed #18

Closed aceg1k closed 5 months ago

aceg1k commented 3 years ago

Hi,

thank you very much for your great work on this project, I hope it is still active and open for pull requests.

Rationale

Whenever data assets are stored, sent or received by a technical asset they are also processed in some way by that technical asset. This leads to tight coupling of data_assets_processed with data_assets_stored, data_assets_sent and data_assets_received (relating to both, outgoing and incoming communication links). IMHO data_assets_processed is of almost no practical use, when a data asset processed is not stored and not transferred somewhere.

Proposal

Infer data_assets_processed based on data assets stored and data assets used in outgoing and incoming communication links and do not require data_assets_processed to be set and continuously maintained.

As a stored data asset always implies a processed data asset some of the code became redundant and was removed.

I look forward to your feedback!

cschneider4711 commented 3 years ago

Nice idea... Yep, there is definitely some kind of indirect relationship between the processed assets as being based on the stored/sent/received ones. Even in some model-validating rules this is checked.

The ideas was to allow a top-down modeling approach to model the communication links after all the components have been modeled and therefore already have a laid-out plan of what to process (as some kind of cross-check). But indeed, when modeling this all in a row, the value could also nicely be inferred, easing the modeling process.

cschneider4711 commented 3 years ago

... speaking of inferring model values:

It would probably also make sense to infer the C,I,A ratings (Confidentiality, Integrity, Availability) of technical components based on the highest data assets' C,I,A ratings of stored/sent/received data assets. This could ease the modeling approach even more...

aceg1k commented 2 years ago

It would probably also make sense to infer the C,I,A ratings (Confidentiality, Integrity, Availability) of technical components based on the highest data assets' C,I,A ratings of stored/sent/received data assets. This could ease the modeling approach even more...

Yes, I think so too and already implemented that some days ago. Just didn't want to mix up things, so I just opened another PR.

ezavgorodniy commented 5 months ago

@joreiche this PR https://github.com/joreiche/threagile/pull/4 is for merging this PR into your fork which later may be used in https://github.com/Threagile/threagile/pull/57

joreiche commented 5 months ago

this pr has been resolved with #57