Comments (5)
The whole attribute system was kept open and easy to extend on purpose, as there is no way to encompass the whole gamut of options beforehand. The idea is "if a rule needs an attribute, create the attribute and create the rule". At this point logic interaction between attributes outside of rules is almost non-existent, so that doesn't create many ripples. People are free to extend Elements as they see fit and create specialized elements, or to enrich the existing ones.
I agree 100% wich @raphaelahrens on the severity and likelihood comments. In fact this is an area I am actively engaged in these days, and trying to get as much clarity on the boundaries between automated and manual as possible.
from pytm.
Hi,
how the example threats where created can be answered by @izar . I assume he created them for his needs and added it as an example.
Currently there is no logic for inheriting attributes from other attacks, so you will have to copy the parent threat and modify it.
For the UDP and TCP Flooding you first need to know which protocol is used. But currently pytm does only know about the port and not the transport protocol. That means that you cannot always describe which transport protocol you are using. For example syslog over TCP uses the same port as syslog over UDP . So a patch would be needed, so the transport protocol can be specified.
In my opinion the most important information threat modelling gives you is the knowledge of a potential threat. The severity and the likelihood depend on the software and the environment in which the software is used.
For example lets assume we have two case where the same software is used.
In the first case information processed is not confidential.
In another case the information is highly confidential.
What is the severity if we find an information disclosure threat?
It depends how we use the Software. In the first case it is not a big issue. In the second it will be a big problem.
But thanks to threat modelling you are aware of the potential problem and can make a judgement for each case.
If you don't know the environment in which your software will be used then you can't make this decision. Then you will need to either mitigate just in case someone will use it with sensitive data or you could inform the users of your software about the potential risk.
Either way you could not have done any of these actions if you would be unaware of the potential threat.
To conclude the severity and likelihood are very context sensitive and can only be absolute if the context in which the software is executed is fully known. E.g. you run your own software or your users tell you how they use your software.
This is also the reason why you can use different threat libraries, so that you can adapt it to your needs and your users needs.
from pytm.
Hi, this is the process I used:
- Get a CSV file from CAPEC
- Weed out threats that don't have every column filled i.e. severity/pre-requisites etc. missing
- Condition and target are not created in an automated way. In order to create a high fidelity threat store for pytm, I manually translated the "pre-requisite" column to create conditions and target according to the elements we had at the time.
hope that helps!
from pytm.
Thanks for your replies, @izar and @raphaelahrens. Looking at your code and the way you extracted the conditions w.r.t. CAPEC is still questioning me.
@izar I believe you considered the "prerequisites" field in conjunction with the "Related Weaknesses" to come up with the "proper" conditions, right?
- If that's the case, some of the threats in your database, do not hold "all" the information about those fields. Are there any explanations for this? I think this can be automated to a great extent for extracting the rules and conditions.
- If not, did you simplify your implementation by focusing on the important conditions?
I think those rules in the "condition" field are more your interpretations about the threat. Am I right?
Thank you, and I look forward to hearing from you.
from pytm.
Most of the translation from CAPEC into threats was done by @avhadpooja - she can better give details on the process.
from pytm.
Related Issues (20)
- docker and makefile broken HOT 1
- Documentation missing Controls class HOT 3
- SIDs prefix meaning HOT 2
- Error with make image HOT 2
- Error with data field in input JSON HOT 5
- How are threats named, e.g., INPXX or AAXX? HOT 4
- Documentation for attributes HOT 5
- Suggest to support converting c4 models into pytm HOT 7
- Use RAAML for threat models HOT 3
- Is the makefile broken? HOT 3
- Question: What's the purpose of defining trust boundary? HOT 7
- Got an error "AttributeError: 'str' object has no attribute 'name'" when using the "--sqldump SQLDUMP". HOT 2
- Cannot override findings, threats remain, DFD impacted, exception thrown for overrides len > 1 HOT 16
- pytm --report gives an error HOT 4
- Replace custom template engine with Jinja2 HOT 1
- README.md, section Currently Supported Threats, needs a legend HOT 7
- Enhancement request: move pyDAL to local import HOT 4
- Alternative format for threat lib for better readability and editing HOT 5
- AC22 Credential Aging review HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pytm.