materialize threats.
' . .
o ' o . ' . O
' . ' . _____ ' . .
. . .mMMMMMMMm. ' o ' .
' . .MMXXXXXXXXXMM. . '
. . /XX77:::::::77XX\ . . .
o . ;X7:::''''''':::7X; . '
' . |::'.:' '::| . . .
. ;:.:. :;. o .
' . \'.: /. ' .
. `.':. .'. ' .
' . ' .`-._____.-' . . ' .
' o ' . O . ' o '
. ' . ' . ' ' O . ' ' '
. . ' ' . ' . ' '
. .'..' . ' ' . . '. . '
`.':.' ':'.'.'
`\\_ | _//'
\( |\ )/
//\ |_\ /\\
(/ /\(" )/\ \)
\/\ ( ) /\/
|( )|
| \( \
| ) \
| \
| \
|wizardsh`.__,_
\_________.-'
It's magic.
π Who is this for?
Developers and security practitioners who want to perform 'graph' analysis on data flow diagrams - using SQL.
materialize threats
ingests draw.io data flow diagrams into a database, represents them like a property graph, then uses SQL to answer questions about them.
Today, we can answer questions like:
- What STRIDE based threat classes
β οΈ impact which elements and flows in my diagram? - What mitigations π & test cases β should be considered for this diagram?
These are just a few ideas.
π° What's in the box?
- materialize_threats python module
- Parse draw.io data flow diagrams into graph representation (nodes, edges) stored in a RDBMS (sqlite in this demo)
- SQL (ORM) implementation of Rapid Threat Model Prototyping methodology used to generate threat classes
- (Optional) Minimal Draw.io shape library (dfd-materialize.xml)
- Tag trust zones more easily
- Gherkin + STRIDE test plan/feature file generator
π§ How do I use it?
Demo
1. Creating the diagram
- Use draw.io with the built-in threat modeling shape set, or use ours
- Create a data flow diagram using some guidelines
- Use processes between entities to describe flows
- Example: [Entity: Browser] --> (Process: Login) ----> [Entity: API]
- Identify trust zones using the green 'security control label' following the Rapid Threat Model Prototyping methodology process
- untrusted sources (entities) are 0
- sinks (data store) are <=9
- +1 or -1 in between
- Processes inherit trust zones from the upstream entity
- Use processes between entities to describe flows
- Save it as a .drawio file in a convenient location
Example
2. Enumerating threats
git clone git@github.com:secmerc/materialize_threats.git
cd materialize_threats
pip3 install -r requirements.txt
python3 materialize.py --diagram=/path/to/diagram.drawio
3. Creating the feature file
Materialize threats will create a Gherkin feature file with boilerplate scenarios and mitigations, along with remediation tips. By default, it uses the diagram filename.
π Sample data
python3 materialize_threats/materialize.py
More samples can be found in the /samples directory
python3 materialize_threats/materialize.py --diagram=samples/bookface.drawio
β οΈ Is this production ready?
Not yet.
- There are no tests written, but im pretty sure it works.
- Lots of other python stuff that might horrify you but wont impact functionality that I know of.