threagile icon indicating copy to clipboard operation
threagile copied to clipboard

Published 20 hours ago verified publisher icon Threagile

Stored, sent and received data assets are always processed

Open aceg1k opened this issue 3 years ago • 3 comments

Hi,

thank you very much for your great work on this project, I hope it is still active and open for pull requests.

Rationale

Whenever data assets are stored, sent or received by a technical asset they are also processed in some way by that technical asset. This leads to tight coupling of data_assets_processed with data_assets_stored, data_assets_sent and data_assets_received (relating to both, outgoing and incoming communication links). IMHO data_assets_processed is of almost no practical use, when a data asset processed is not stored and not transferred somewhere.

Proposal

Infer data_assets_processed based on data assets stored and data assets used in outgoing and incoming communication links and do not require data_assets_processed to be set and continuously maintained.

As a stored data asset always implies a processed data asset some of the code became redundant and was removed.

I look forward to your feedback!

aceg1k avatar Jun 29 '21 20:06 aceg1k

Nice idea... Yep, there is definitely some kind of indirect relationship between the processed assets as being based on the stored/sent/received ones. Even in some model-validating rules this is checked.

The ideas was to allow a top-down modeling approach to model the communication links after all the components have been modeled and therefore already have a laid-out plan of what to process (as some kind of cross-check). But indeed, when modeling this all in a row, the value could also nicely be inferred, easing the modeling process.

cschneider4711 avatar Jul 06 '21 20:07 cschneider4711

... speaking of inferring model values:

It would probably also make sense to infer the C,I,A ratings (Confidentiality, Integrity, Availability) of technical components based on the highest data assets' C,I,A ratings of stored/sent/received data assets. This could ease the modeling approach even more...

cschneider4711 avatar Jul 06 '21 21:07 cschneider4711

It would probably also make sense to infer the C,I,A ratings (Confidentiality, Integrity, Availability) of technical components based on the highest data assets' C,I,A ratings of stored/sent/received data assets. This could ease the modeling approach even more...

Yes, I think so too and already implemented that some days ago. Just didn't want to mix up things, so I just opened another PR.

aceg1k avatar Jul 10 '21 19:07 aceg1k

@joreiche this PR https://github.com/joreiche/threagile/pull/4 is for merging this PR into your fork which later may be used in https://github.com/Threagile/threagile/pull/57

ezavgorodniy avatar Feb 02 '24 17:02 ezavgorodniy

this pr has been resolved with #57

joreiche avatar Feb 07 '24 19:02 joreiche