Turn code

Into threat models

/** * ######## ######## ## ## ####### * ## ## ## ### ### ## ## * ## ## ## #### #### ## ## * ## ## ###### ## ### ## ## ## * ## ## ## ## ## ## ## * ## ## ## ## ## ## ## * ######## ######## ## ## ####### * * Write or edit JavaScript in this editor and annotate the code with ThreatSpec tags. * * See below for details. * * @alias threat @cwe_319_cleartext_transmission to cleartext transmission of data * @describe threat @cwe_319_cleartext_transmission as The software transmits sensitive or \ security-critical data in cleartext in a communication channel that can be sniffed by \ unauthorized actors * * @alias boundary @webapp to WebApp * @describe boundary @webapp as Customer facing web application * * @alias component @app to App * @describe component @app as Core application */ class Story { /** * Represents a book. * @constructor * @param {string} title - The title of the book. * @param {string} author - The author of the book. * * @mitigates @webapp:FileSystem against unauthorised access with strict file permissions (#122) * @exposes @webapp:App to XSS injection with insufficient input validation (#124,#133) * @transfers @cwe_319_cleartext_transmission to User:Browser with non-sensitive information (#125) * @accepts arbitrary file writes to @webapp:FileSystem with filename restrictions (#106) */ Book(title, author) { } }

Not implemented (yet)


            
Not implemented (yet)

          

        
 
      
 

      

        

        

          
Using the demo

          
Write or edit JavaScript in the editor on the left and annotate the code with ThreatSpec tags. Then run Parse & Report to generate the HTML report on the right. You can also view the intermediate JSON file.

          
Tag formats

          
    
            
  • @alias boundary|component|threat ID to NAME
    • 
            
  • @describe boundary|component|threat ID as DESCRIPTION
    • 
            
  • @mitigates BOUNDARY:COMPONENT against THREAT with MITIGATION [(REFERENCES)]
    • 
            
  • @exposes BOUNDARY:COMPONENT to THREAT with EXPOSURE [(REFERENCES)]
    • 
            
  • @transfers THREAT to BOUNDARY:COMPONENT with TRANSFER [(REFERENCES)]
    • 
            
  • @accepts THREAT to BOUNDARY:COMPONENT with ACCEPTANCE [(REFERENCES)]
    • 
          

          
The \ character can be used to split the DESCRIPTION, MITIGATION, EXPOSURE, TRANSFER and ACCEPTANCE values into multiple lines for readability. Multiple lines are joined together into a single value.

          
REFERENCES are optional and must enclosed by ( ). Multiple REFERENCES are supported using comma separation.

        

        

      
 

      

        

        

          
Using ThreatSpec

        

        

      
 

      

        

        

          

            

              
Develop

              
Developers, QA, operations, and security engineers work closely together reviewing and annotating code with threat modeling metadata. This can even apply to Infrastructure as Code.

            

          

          

            

              
Parse

              
 Use a parser to turn ThreatSpec code annotations into an intermediate JSON file. You'd probably want to make this part of your build pipeline and then publish the JSON files somewhere.

            

          

          

            

              
Report

              
 Run a report against one or more intermediate JSON files, even if they originate from different languages. Use the reports to further guide your threat modelling. You could even display the current report in your SOC.

            

          

        

        

      
 

      

        

        

       
          

          

              

          

            
          

            

              
              
            
    
              

              

              

          

          

          
          
        

        

      
 

      

        

          
Specification

          
          
          
Language parsers

          
    
            
    • 
            
    • 
            
    • 
          

          
More languages to come...


          
Reporting tools

          
          
More reporting tools coming soon


        

      
 


      

        

        

          
About ThreatSpec

          
ThreatSpec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process. This is achieved by having developers and security engineers write threat specifications alongside code, then dynamically generating reports and data-flow diagrams from the code.

          
Security testing is shifting left, from annual pentests to the realm of unit testing and test-driven development, by taking advantage of automation and agile practices. ThreatSpec is an attempt to continue the evolution.

          
For a fully comprehensive introduction to threat modelling, check out the book Threat Modeling: Designing for Security by Adam Shostack.


          
DevSecCon Talk

          
This topic was presented at the DevSecCon conference in London in October 2015.

          
The slides are available on SlideShare.


          
Get Involved!

          
If you have an idea, suggestion, criticism or any other feedback regarding ThreatSpec or code-driven threat modelling in general, get in touch! If you'd like to write a parser or reporting tool in your favourite language, we'd also love to hear from you.