specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 2 weeks ago verified publisher icon CycloneDX

Add threat model capabilities to CycloneDX / TM-BOM

Open stevespringett opened this issue 1 year ago • 5 comments

There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for natively representing threat models in CycloneDX.

Currently, threat models can be represented via an external reference and the threat model can either point to a URL and be inline via a data component. This allows capturing everything from OTM and MS TMT output.

There has recently been a desire by tool vendors to use OTM as a potential short-term solution and leverage CycloneDX as a long term solution. This would allow, for example, a native threat model to be represented in CycloneDX which would describe any component or service such as an application, AI model, or web service.

BOM-Link would be used to point the existing threat-model external reference to the threat model, either in the same BOM or in a dedicated TM-BOM.

This ticket is to track the proposed enhancement to the core specification that would add:

  • Threats
  • Weaknesses
  • DFDs
  • Attack trees with monetary values
  • Methodology agnostic - support for STRIDE, PASTA, LINDDUN, etc
  • Support for security, privacy, safety, and process threat modeling

stevespringett avatar May 10 '24 14:05 stevespringett

Scope is important -- I think adding monetary values to a TM is likely a bridge too far.

adamshostack avatar May 10 '24 18:05 adamshostack

Attack trees are a representation of relationships between threats (and possibly mitigations and other stuff) and not a fundamental unit.

adamshostack avatar May 10 '24 18:05 adamshostack

More generally, I think that a threat model may not be the thing you want to track in a BOM. I think what I want as a consumer is not the analysis (threat modeling as a verb) or the results (threat modeling as a noun), but the things that I, as a consumer care about: the accepted/transferred/residual dangers associated with the thing. I think that includes some elements like:

  • Network connections (listening ports, outbound connections, the latter IETF MUD is interesting)
  • Files accessed (inside my area, system files, possibly tainted opened; read/write opens or permissions needed)
  • setuid files installed

But the transferred risks are more broad.

adamshostack avatar May 10 '24 18:05 adamshostack

We have a some proof of concepts for TMBOM:

jgadsden avatar Jul 25 '24 06:07 jgadsden

The TMBOMs conforms to the CycloneDX schema if we add the following:

% diff bom-1.6.schema.orig.json bom-1.6.schema.json
850c850,851
<             "cryptographic-asset"
---
>             "cryptographic-asset",
>             "threat-model"
865c866,867
<             "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."
---
>             "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.",
>             "threat-model": "A threat model including threats, remediations, vunerabilities and model components."

jgadsden avatar Jul 25 '24 06:07 jgadsden