automate threatmodel creation

[javabeanz]

start with java web application by analyzing web.xml, bundled jars, etc.

[stevespringett]

Platform/language specific analyzers are out of scope for this project. But if anyone wants to create an analyzer, they can utilize this SDK to normalize the threat model. By doing so, commercial products or open source projects that utilize this SDK will automatically be able to import the identified threats.

[javabeanz]

maybe this could be a separate project then. Could it be usefully combined with OWASP ZAP for instance ?

[stevespringett]

I don't think it could be use with ZAP. Dynamic analysis tools generate a bunch of findings, potentially vulnerabilities, the Threat Model SDK is designed around threats, not vulnerabilities. So the SDK is much more aligned with threat modeling tools like the Microsoft Threat Modeling Tool. IriusRisk now includes the SDK in their product for this reason.

But there are ways that use of the SDK could be automated. In a typical STRIDE approach, you could analyze potential threats from an AWS cloud formation script for example, since the script would define all the data sources, services, and data flow between them. The only thing that may have to be manually added would be trust boundaries between the components.

[dhartford]

Hi @javabeanz, it is still a good idea particularly to create such a tool specifically for people who may not understand the difference between threat (a design) versus a vulnerability (an implementation with defects) for low-hanging fruit from a 'stock' java application in tomcat (i.e. one using some of the standards, or common frameworks, to infer decisions made in the design).

As a usecase example to get started, the tomcat context.xml approach could read the database connections (because most have them defined there) and infer if the database connection is encrypted or not, and infer which authentication type (kerberos, domain for windows-based database servers, plain password) using pure static-analysis approach reading the files, then build upon that with runtime-analysis such as determining if the application server IP address is in the same network segment as the database server by its IP address, and from there build a starting-point threat model based on that information which will quickly bootstrap people in the right direction!

[javabeanz]

one of the problems with threat modeling is that is seen as costly; if (part of) the model can be automated, this may mean higher adoption of this security practise. Java web applications are very common today, so i see a good business case for this enhancement.

[stephendv1]

There has been some work in this area (although not exactly from a SAST approach), see: https://threatspec.org/ it essentially uses annotations in files to build a DFD and string together a threat model. There's no real automation, but a nice feature is that the threat model is defined in the code/config that's being modelled - so it's all in the same place.

For parsing tomcat files, etc - how about the CIS standards? https://www.cisecurity.org/benchmark/apache_tomcat/

[dhartford]

Thanks @stephendv1 for sharing threatspec, it reminds me of dot-notation from graphviz, but focused on threat modelling (which is good, I like it as relatively easy to integrate to automate data generation into such a tool, and automate document/graph deliverables even on data changes).

[javabeanz]

Possibly interesting too https://threatdragon.org/ They define a threat model with json.

[stevespringett]

@javabeanz as soon as the threatdragon project matures and the data model stabilizes, I plan on adding support for it. I also plan on adding support for the next release (not the preview) of the Microsoft tool.