Giters

EasyAppSecurity / TicTaaC

Easy-to-use Threat modeling-as-a-Code (TaaC) solution following DevSecOps principles. Simple CI/CD integration as well as console usage. Sugar-Free and Secure: no any external dependencies except for chart plotting are used

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TicTaaC Threat modeling-as-a-Code in a Tick (TicTaaC)

Lightweight and easy-to-use Threat modeling solution following DevSecOps principles

Preface

"One day the customer asked to perform threat modeling for our product. Of course, we have heard about it a lot from different teams, I have even read several articles and looked through a book to get familiar with this process, but they were too abstract as for me and didn't give me a certainty at all. Then we have faced several enterprise - level products which theoretically would help us, but we didn't want to deploy the whole security program because of it, we just waned to get the threats list for our product. Nothing else"

Anonymous Developer

Idea

The idea behind this product is clear - I want to create something simple that would help to solve this difficult problem. Ideally, with one click or a command and with a possibility to integrate it into a pipeline if needed. Inspired by dependency-check architecture and simplicity plus taking in mind that developers just love mapping everything in code, I've created "TicTaaC", which means "Threat modeling-as-a-Code in a Tick"

Usage

All the tool is needed is a data flow code file described in the yml-like format specially designed for this.
The examples of these files with verbose comments describing every aspect may be found here.

Command Line

More detailed instructions can be found on the github wiki. The latest CLI can be downloaded from github in the releases section.
On *nix

$ ./bin/tic-taac.sh -h
$ ./bin/tic-taac.sh --out . --threatModel [path to threat model file]

On Windows

> .\bin\tic-taac.bat -h
> .\bin\tic-taac.bat --out . --threatModel [path to threat model file]

Docker

See TicTaaC Docker Hub repository.

#!/bin/sh

TT_VERSION="latest"
THREAT_MODEL_DIR=$HOME/threat-model

# Make sure we are using the latest version
docker pull rusakovichma/tic-taac:$TT_VERSION

docker run --rm \
    -e user=$USER \
    -u $(id -u ${USER}):$(id -g ${USER}) \
    --volume $THREAT_MODEL_DIR:/threat-model:z \
    --volume $(pwd)/report:/report:z \
    rusakovichma/tic-taac:$TT_VERSION \
    --threatModel /threat-model/simpest-threat-model.yml \
    --outFormat html \
    --out /report
    # Set mitigation strategy for the corresponding threats
    # --mitigations /threat-model/mitigations.yml

Jenkins pipeline

For TicTaaC usage at Jenkins pipeline, see Jenkinsfile example.

Features

  • No required additional dependencies
  • Special lightweight and easy-to-understand format for data flows description
  • Automatic Threats Attack Vector & Risk Score calculation based on the data flow context
  • Ideal for Security Teams - it has flexible Threats Library logic customization in a separate file with special expression language support

About

Easy-to-use Threat modeling-as-a-Code (TaaC) solution following DevSecOps principles. Simple CI/CD integration as well as console usage. Sugar-Free and Secure: no any external dependencies except for chart plotting are used

License:Apache License 2.0

Languages

Language:Java 96.3%Language:Shell 1.9%Language:Batchfile 1.1%Language:Dockerfile 0.8%