Threat Model-Access Level Controls Defined on the model file -Github

[johocurtest]

It seems there is no ACL on the threat model file created in GitHub

Steps:

• Login as User A using your GitHub account
• Create a model
• Share the link with User B
• User B logins in to GitHub and opens model file from User A GitHub repo hyperlink

Result: User B can change file from User A (no Read/Edit/Modify ACL)

[jgadsden]

Hello @johocurtest - agreed that anyone who has read access to the github repo can see the threat model, and indeed if they have write access then they can modify it, which is a consequence of the permissions on the github repo that is being used.

There are two use cases that I see for TD:

1. web app access to a shared github repo, with access control determined by the repo
2. desktop app used to create / read / update the json file in a source tree stored in a repo

The company I work for uses TD desktop and an Atlassian repo, which seems to work well. If you want to use the web app then access control is needed on the github repo.

There is a gitlab integration for TD on a fork that may be of interest: https://github.com/mike-goodwin/owasp-threat-dragon/issues/68#issuecomment-590002400

[jgadsden]

Migrated to new issue in the OWASP area repo : https://github.com/OWASP/threat-dragon/issues/10