Question: What's the purpose of defining trust boundary?

[rucciva]

Hi, thanks for creating this apps.

Just wondering, what would be the effect of not defining trust boundary? I've tried creating threat model with and without trust boundary but aside from the dfd, there is nothing different, especially in the threat report.

[izar]

Right now we are not using the Boundary class for any rules, but there is a crosses() function defined that checks if a dataflow is crossing boundaries. It is functionality that is intended to improve in the next iteration of rules (coming RSN).

[rucciva]

Thanks @izar for the explanation.

Another thing, in theory, does crossing multiple boundary different from crossing just one boundary in terms of possible threat?

[izar]

Do you mean crossing nested boundaries? I guess that would depend on how the crossing happens, that is, if there is a change in trust at every boundary or only one big leap from the inner to the outer, for example. Can you give a scenario?

[rucciva]

Yes, nested boundaries.

For example: Users -> web server -> db

Where

Db is inside a boundary, which is rds cluster, Web server in a boundary which is kubernetes cluster, Rds and kubernetes boundary are inside the same vpc, which separate against the user.

When user access the web server, they will cross both the vpc and kubernetes cluster.

[rucciva]

Or, should i add load balancer between user and web server (just like in reality) as an element, that way user will cross only the vpc boundary, while communication from lb to webserver will cross kubernetes boundary, and web server to db will cross rds cluster blundary?

[izar]

If the load balancer is something you want to be in scope of your threat model, then it should be there. But I think that here in this case, even though the trust boundaries are nested, the request is not really traversing them all - as you probably don't have users going straight to the db. So the trust chain is user->web server, web server->rds with different identities (right?) and possibly distinct modes of authn and authz. The threats in that case would be distinct and separate, I believe.

[rucciva]

Noted @izar , its clear now. Thanks