search

mozilla / seasponge

:pineapple: SeaSponge is an accessible threat modelling tool from Mozilla
http://mozilla.github.io/seasponge/
Mozilla Public License 2.0
278 stars 64 forks source link

Pre-built threats from OWASP #66

Open sbmilburn opened 9 years ago

sbmilburn commented 9 years ago

Would be a nice feature to have a set of pre-built threats vs having users create every threat themselves. A good place to start would be the OWASP Top10 list. https://www.owasp.org/index.php/Main_Page

Glavin001 commented 9 years ago

Great idea! It would be awesome to have templates of pre-built threat models that users can start off with, instead of loading / creating their own.

mlmurray commented 9 years ago

This is the way that the Microsoft Threat Modeling Tool (TMT) works - STRIDE is evaluated for each element and data flow and threats are automatically generated. I'd like to see this tool do the same.

Glavin001 commented 9 years ago

:+1: Definitely sounds like the way to go. We had discussed STRIDE and TMT as a team while developing. I definitely want to have a repository of threats that are associated with elements and data flows.

It would be great to pull threats from OWASP automatically, however since it is in a Wiki format we may have to do a lot of the grunt work right now. A database & API of threats would be great!

What about having a repository for Threats and their relationships to elements and flows? Pull Requests could be submitted to this repository and we could gradually grow to support many more threats than TMT.

Using GitHub's API ( https://github.com/michael/github ) we could retrieve these Threats from the repo and automatically populate SeaSponge independently, even without redeploying. Although redeploying only takes 3-4 minutes.

Said repository could reside in SeaSponge's repository here. We could have a directory with multiple files or a large JSON / YAML file with each of the threats and their meta data. I'd like to make this easy enough to maintain and add to that users will feel comfortable contributing to and adding more threats on their own.

/cc @Frozenfire92 Thoughts?

Frozenfire92 commented 9 years ago

Said repository could reside in SeaSponge's repository here. We could have a directory with multiple files or a large JSON / YAML file with each of the threats and their meta data. I'd like to make this easy enough to maintain and add to that users will feel comfortable contributing to and adding more threats on their own.

I like this idea, but it would be interesting if OWASP was interested in maintaining a repository that we could then pull from. This wouldn't limit any other interested parties from scraping our repo, but being able to contribute to a common official repo

Glavin001 commented 9 years ago

+1 have a repository of threats separate from but used by SeaSponge and maintained by OWASP would be great!