colesmj
colesmj
Today, we have object types: - Element - Server - Client - Process - Asset - Lambda It seems that a Server, Client, and Lambda are all specializations of Process...
With object types like `Server` or `Asset`, can these contain other `Server`s or `Process`es? They should. If they can already, better docs needed.
Many of the attributes defined for the DataFlow object belong elsewhere: Correctly assigned: - source = varElement(None, required=True) - sink = varElement(None, required=True) - order = varInt(-1, doc="Number of this...
DO02 - huh?
` "DO02": { "description": "Potential Process Crash or Stop", "source": (Process, Datastore, Element), "target": Process, "condition": "target.handlesCrashes is False", },` What is the thought process behind this threat? Is it...
DE02 is a more specific variant of DE01. Two questions come to mind: 1. Is it necessary? 2. Would a threat-relationship descriptor be useful, e.g. threat A follows from threat...
` "DE01": { "description": "Data Flow Sniffing", "source": (Process, Element, Datastore), "target": Dataflow, "condition": "target.protocol == 'HTTP' and target.isEncrypted is False", },` In this threat, it checks to see if...
` "DS01": { "description": "Weak Credential Storage", "source": (Process, Element), "target": Datastore, "condition": "(target.storesPII is True or target.storesSensitiveData is True) and (target.isEncrypted is False or target.providesConfidentiality is False or target.providesIntegrity...
I was wondering if we might make Boundary identification a capability of the tool, rather than letting a user define them in their object definitions. In other words, a user...
` "DO01": { "description": "Potential Excessive Resource Consumption", "source": Element, "target": (Process, Server), "condition": "target.handlesResourceConsumption is False",` Without knowing when handlesResourceConsumption should be set to True, the check here appears...
` "AA03": { "description": "Weakness in SSO Authorization", "source": (Process, Element), "target": (Process, Server), "condition": "target.implementsAuthenticationScheme is False", },` What if the Process implements BasicAuth or uses mutual TLS (neither...