Comments (7)
Hi - the legend is not written in stone - we were looking for unique identifiers with at least a semblance of separation between them. The categorization was never too strict simply because the issue never came up, and the identifiers are mostly used for allow-listing known issues.
It is great you want to add threats! If you're not comfortable with adding them to the existing label scheme, feel free to create your own. It would be great if it followed the ??[0-9][0-9]* format, though.
from pytm.
The grouping of the threats is a little bit over the place and sometimes it just unclear to me as well what the letters are supposed to mean.
But a threat is a threat and it does not matter if it is a denial of service or an information disclosure as long as it is a valid threat to the system.
So I agree with izar that it does not matter what letters you put in front of your threats as long as these are valid threats.
That being said here is my understanding of the first letters of all the threats.
Maybe this can be used to start a guide on creating new threats.
AA deals with AuthN ( no idea what the second A is for, maybe this was once AuthN and AuthZ)
AC with access control (AuthZ) issues
API are all threats with a condition that includes .implementsAPI
.
CR is possibly credentials, crypto, and something with XML routing (CR07)
DE is all over the place could be dataflow encryption(DE01, DE03) or encoding (DE02) and I don't know how DE04 fits in.
DO is "Denial Of" anything, so threats regarding availability.
DR no idea.
DS is probably data side-channel.
HA is HA01 "Path traversal", HA02 "White Box Reverse Engineering", HA03 "Web Application Fingerprinting", and HA04 "Reverse Engineering". No idea what all of them have in common.
INP is most likely dealing with missing input validation/restrictions.
LB has only LB01 "API Manipulation" no clue what LB stand for.
SC deals with XSS and and JS threats only SC05 is a bit of an outlier in this group since it is dealing with server code.
from pytm.
Hey folks,
Is the mailing list used anymore? The mailing list is advertised as https://groups.google.com/g/pytm-users.
If not, can you email me so we can have an offline conversation? My email address is noloader, gmail account.
from pytm.
Actually I don't now if the mailing list was ever used. I am on that list for over a year and cannot remember a conversation there.
But I'm also only an occasional contributor.
from pytm.
@noloader perhaps the slack is the best place for an off-github discussion.
from pytm.
There is a slack?
from pytm.
from pytm.
Related Issues (20)
- docker and makefile broken HOT 1
- Documentation missing Controls class HOT 3
- SIDs prefix meaning HOT 2
- Error with make image HOT 2
- Error with data field in input JSON HOT 5
- How are threats named, e.g., INPXX or AAXX? HOT 4
- How are "target" and its relevant "condition" extracted from a particular threat? HOT 5
- Documentation for attributes HOT 5
- Suggest to support converting c4 models into pytm HOT 7
- Use RAAML for threat models HOT 3
- Is the makefile broken? HOT 3
- Question: What's the purpose of defining trust boundary? HOT 7
- Got an error "AttributeError: 'str' object has no attribute 'name'" when using the "--sqldump SQLDUMP". HOT 2
- Cannot override findings, threats remain, DFD impacted, exception thrown for overrides len > 1 HOT 16
- pytm --report gives an error HOT 4
- Replace custom template engine with Jinja2 HOT 1
- Enhancement request: move pyDAL to local import HOT 4
- Alternative format for threat lib for better readability and editing HOT 5
- AC22 Credential Aging review HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pytm.