Comments (11)
izar
commented on September 17, 2024
True. Let's do it.
from pytm.
izar
commented on September 17, 2024
What would be a proper dictionary of properties and their values? For example,
runsAs = (Root, Administrator, User, Nobody)
exposes = (HTTP, HTTPS, ...) ?
I believe this might be more extensible than a ton of on/off switches, thoughts?
from pytm.
shambho
commented on September 17, 2024
Is the OS patched is another property to look at. I guess to answer the list of properties required, we need to look at when exactly we think a system is considered hardened? What are the criteria or things to look for at minimum?
from pytm.
colesmj
commented on September 17, 2024
There are definitions for hardening - from sources like DISA and CIS, to
individual component vendors. Patching is a part of hardening, add covers
more than the OS. We should do what everyone does and summarize what
hardening "means" and run with that for first pass; besides it is the only
thing possible at design time. We can't know at design time if the
components will be patched, we can know if insecure protocols are to be
used (as a couple of examples).
from pytm.
izar
commented on September 17, 2024
But do we have to go itemized? Or could we get away with something that refers to the process, as in
isHardened = ("No", "Planned", "Yes")
At the end of the day I believe we want developers to be able to write the description code on the fly, and should strive to have only as much detail as necessary, to avoid having to go to documentation, etc.
Perhaps we should have objects self-check for completeness at runtime, suggesting fields that need more information before running the threats?
from pytm.
shambho
commented on September 17, 2024
Yeah this makes sense to me. Keeping it simple.
from pytm.
izar
commented on September 17, 2024
I moved the current attributes into Python "@Property". We need to decide if we want to leave everything open or if we want to use enumerations for certain values. I'm inclined to follow MSFT in the choices, but only up to the point where we get 1::1 functionality with their tool, and then we start opening up further and going farther. Ideas?
from pytm.
shambho
commented on September 17, 2024
Sounds good to me.
from pytm.
izar
commented on September 17, 2024
Got some feedback from potential users - the issue of granularity is important. I suppose it would be great if we could come up with threats that happen at many levels, as in "is it hardened? yes/no" leading to a "it should be hardened" threat, but then smaller granularity questions like "is it patched" and "does it have more services than needed" (just throwing it out there....) lead to "it is not hardened" that then leads to "it should be hardened".
from pytm.
colesmj
commented on September 17, 2024
Related to #113 re: inherited properties or state.
from pytm.
colesmj
commented on September 17, 2024
Have been thinking about derived properties for an incubation effort. Will look to mock something up.
from pytm.
Related Issues (20)
- Error with make image HOT 2
- Error with data field in input JSON HOT 5
- How are threats named, e.g., INPXX or AAXX? HOT 4
- How are "target" and its relevant "condition" extracted from a particular threat? HOT 5
- Documentation for attributes HOT 5
- Suggest to support converting c4 models into pytm HOT 7
- Use RAAML for threat models HOT 3
- Is the makefile broken? HOT 3
- Question: What's the purpose of defining trust boundary? HOT 7
- Got an error "AttributeError: 'str' object has no attribute 'name'" when using the "--sqldump SQLDUMP". HOT 2
- Cannot override findings, threats remain, DFD impacted, exception thrown for overrides len > 1 HOT 16
- pytm --report gives an error HOT 4
- Replace custom template engine with Jinja2 HOT 1
- README.md, section Currently Supported Threats, needs a legend HOT 7
- Enhancement request: move pyDAL to local import HOT 4
- Alternative format for threat lib for better readability and editing HOT 5
- AC22 Credential Aging review HOT 5
- Add a way to exclude threats for specific Elements HOT 2
- Outdated plantuml download link in Dockerfile HOT 1
- Upgrade docker base image to reduce the number of open-source vulnerabilities
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pytm.