Closed fajabird closed 4 years ago
jgadsden
commented
4 years ago Hello @fajabird - certainly a good idea. Do you have suggestions on how it should look and what sort of flow is possible? Not necessarily an implementation (unless you want to :-) ) but more of how it could be done
fajabird
commented
4 years ago Hi, the most simple solution would be: in the drop-down menu enumerating the STRIDE-threat categories with in the "new threat" dialog, please just allow typing, so I can select one of the pre-existing categories or simply type in something else. It does not need to be "saved" for the next "new threat" dialog, but certainly would be great though.
fajabird
commented
4 years ago Another Idea (PREFFERED), on the project overview page, is a threat catergory enumeration: so next to Contributors and Diagrams there would be: "Additional threat Categories" with a "+ add custom category": user can enter the required details (type and description) and is offered check-boxes for the DFD-elements this category is relevant for. This way user can quickly create a list of threat catergories and map them to the DFD-elements so they show up later on in the diagram editor in "new threat" as well as in the Wizard.
Mockup: "Additional threat Categories" " + Add a new category" "text:name/type"-"text:description"-"checkbox Process"-"checkbox Store"-"checkbox Actor"-"checkbox Flow"
jgadsden
commented
4 years ago Sounds good ... I do not mean to be pushy ( for once :-) ) but how good is your JS? Would you like to be assigned this issue to pull-request these changes as a prototype?
fajabird
commented
4 years ago Hi, sorry but I'm not a developer. So it would require some work to get into it. Could you maybe for now just enable free text as in my first proposal? I will meanwhile try to discuss the change with some more people from the team, eventually someone wants to pick this up. That would be great.
jgadsden
commented
4 years ago Sure @fajabird , that sounds great. I will assign this to you for the moment, and maybe your team members can do some work on it. Thanks again, Jon
fajabird
commented
4 years ago Sorry - I was not able to find anyone who would be able to hack this in efficiently. It looks like you're using SELECT for creating that drop-down list which can be dynamically manipulated. As you know the code much better, would it at least be possible for you to add a field on the main page taking e.g. comma separated list of additional threat-types and add them dynamically to the select-options-list as a starting point? It would take me days to learn the code only for this small change.
jgadsden
commented
4 years ago No problem at all, I hope you did not mind me asking :-) Hope that one of us can get to this issue soon - we all have day-jobs so difficult to say when
jgadsden
commented
4 years ago It may be possible to choose what sort of diagram (eg STRIDE, LINDDUN, or other) when configuring the individual diagram in the threat model. This then would determine what pull down categories you get when adding a threat?
This would make the underlying JSON data file compatible with both types of threat category
fajabird
commented
4 years ago That would be great. As there is a way to duplicate a diagram it would be not a big issue to do e.g. STRIDE and LINDDUN on the same diagram.
jgadsden
commented
4 years ago Migrated to new issue in the OWASP area repo : https://github.com/OWASP/threat-dragon-core/issues/16
We are assessing threat dragon for our threat modeling workshops and lately we started to extend it to privacy threats. We came accros the great LINDDUN framework that is very similar to STRIDE and also uses DFDs.
Therefor it would be great to have either LINDDUN categories in the threat engine or even a "custom" threat option where users can create a list of custom threat categories that are displayed in the drop-down.