- Clojure 96%
- Python 2.9%
- Dockerfile 0.7%
- Shell 0.4%
| doc | ||
| infrastructure | ||
| report | ||
| src | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| build.py | ||
| LICENSE | ||
| project.clj | ||
| README.md | ||
dda-tara
chat over e-mail |
meissa@social.meissa-gmbh.de | Blog | Website
- Rational
- Adapt to your Product TARA in your own Application
- Generate Pdf Report
- Development & mirrors
- License
Rational
First of all: Kudos for the real cool idea implemented in https://github.com/Threagile/threagile
Threagile provides a very DevOps way to do Threat Analysis and Risk Assessment. But threagile also has room for improvement. For this reason we reimplemented & enhanced.
Declare id only once
dda-tara uses the threagile model as foundation. But there where some sanitation to make live easier:
Use key as id:
data_assets:
star-count:
description: stars belonging to an repository & given by local and distant users
usage: business
will result in
data_assets:
star-count:
id: "star-count"
description: stars belonging to an repository & given by local and distant users
usage: business
Enhanced include & yaml 1.2 support
threagile supports include. But with yaml 1.2 we need an improved include support to distinguishe clearlay wether include is just a text include or a merge operation. includes-as-text just includes the file as text, aliases are preserved.
Given a file well-known-attack-tree-lib/injection.yaml
sql-injection: &sql-injection
title: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
stride: ElevationOfPrivilege
cwe: 89
You can use the include and refer to declared anchors.
includes-as-text:
- well-known-attack-tree-lib/injection.yaml
attacks_used:
sql-injection:
<<: *sql-injection
description: >
Experienced hacker sends a Like Activity containing an actor url pointing to an
evil forgejo instance. Our repository server sends an `get Person Actor`
request to this instance and gets a person having sth. like `; drop database;`
in its name. If our server tries to create a new user out of this person, the db
might be dropped.
score:
Damage: 99
AffectedUsers: 99
include or includes-to-merge will do a deep merge on all listed yamls.
Given a files to-be-included-deep1.yaml and to-be-included-deep2.yaml with
key:
this-was-included1: {}
key:
this-was-included2: {}
can be used as
includes-to-merge:
- to-be-included1.yaml
- to-be-included2.yaml
key-below: []
and will result in:
key:
this-was-included1: {}
this-was-included2: {}
key-below: []
collect common attacks
We think, collected domain knowledge is the real value of a tool.
We provide an attack trees in well-known-attack-tree-lib.
You can find commonly used attack trees in src/main/resources.
This common knowledge is part of this library.
cli first
We think it is important to be able to provide a binary cli tool ready to use. For this reason our tool generates adoc & dot sources. This sources can be converted by any adoc generator set to pdf & html.
Adapt to your Product TARA in your own Application
It is intended to collect all the common knowledge in this library and to adjust to your product in a application by its own. Find an example application here: https://repo.prod.meissa.de/meissa/forgejo-tara
Reference
application
To build your own application you can use the predefinde application main function.
(ns dda.forgejo-threats.application
(:gen-class)
(:require
[my-project.dda-threats.application :as app]
[my-project.domain.rule :as ru]))
(defn -main [& cmd-args]
(app/main "dda-threats"
[]
ru/example-technical-asset-related-rule-fkts
cmd-args))
technical-asset-related-threats hook
To handle the general technical assets threats, you can iterate all the technical assets declared with the technical-asset-related-threats hook. You can declare a sequence of functions which are handed over to application.
Technical assets hook function should be declared as follows. The function should either return nil or a threat recognized. Example:
(ns my-project.domain.rule
(:require
[orchestra.core :refer [defn-spec]]
[dda.dda-threats.domain.rule.model :as m]
[dda.dda-threats.domain.scored-attack-tree :as sat]
[dda.dda-threats.domain.threagile :as ta]))
(def example-technical-asset-related-rule-fkts
[user-input-data-assets])
(defn-spec user-input-data-assets ::m/threat
[technical-asset ::ta/technical-asset
threagile ::ta/threagile
attacks ::sat/attacks]
(let [processed-asset-set (:data_assets_processed technical-asset)
assets-under-threat (ta/data-asset-filtered
processed-asset-set
(fn [x] (some #(= "user-input" %) (:tags x)))
threagile)
first-asset (first assets-under-threat)]
(when (not-empty assets-under-threat)
{:id (str "silent-typo-squatting: " (:id technical-asset))
:data-asset first-asset
:attack (get-in attacks [:attacks_used :silent-typo-squatting])})))
communication-related-threats hook
To handle the communication related threats, you can iterate all the communications assets declared with the communication-related-threats hook. You can declare a sequence of functions which are handed over to application.
As the threagile model allows to declare two directions, communications are handed over normalized to this function.
Communication related hook function should be declared as follows. The function should either return nil or a threat recognized. Example:
(ns my-project.domain.rule
(:require
[orchestra.core :refer [defn-spec]]
[dda.dda-threats.domain.rule.model :as m]
[dda.dda-threats.domain.scored-attack-tree :as sat]
[dda.dda-threats.domain.threagile :as ta]))
(def example-communication-related-rule-fkts
[incoming-data-assets])
(defn-spec incoming-data-assets ::m/threat
[source ::ta/technical-asset
target ::ta/technical-asset
link ::ta/link
assets-affected ::m/data-asset-ids
threagile ::ta/threagile
attacks ::sat/attacks]
(let [persistent-asset-set (set (:data_assets_stored target))
assets-under-threat (ta/data-asset-filtered
assets-affected
(fn [x] (contains? persistent-asset-set (:id x)))
threagile)]
(when (not-empty assets-under-threat)
{:id (str "sql-injection: " (:id source) " -> " (:id target))
:data-assets assets-under-threat
:link link
:attack (get-in attacks [:attacks_used :sql-injection])})))
data-asset-filtered
Get data-assets filtered by e.g. tags:
(def processed-asset-set (:data_assets_processed technical-asset))
(ta/data-asset-filtered processed-asset-set
(fn [x] (some #(= "user-input" %) (:tags x)))
threagile)
cross-boundary?
Test whether the technical assets are cross boundary.
(def source { ... technical-asset ...})
(def target { ... technical-asset ...})
is-cross-boundary? (ta/cross-boundary?
source target threagile)
Video
Generate Pdf Report
Generate report from test outputs:
podman run -v ./report:/documents \
domaindrivenarchitecture/asciidoctor-mermaid -r asciidoctor-pdf -b pdf report.adoc
Development & mirrors
Development happens at: https://repo.prod.meissa.de/meissa/dda-tara
Mirrors are:
- https://codeberg.org/meissa/dda-tara (Issues and PR)
- https://gitlab.com/domaindrivenarchitecture/dda-tara (CI)
For more details about our repository model see: https://repo.prod.meissa.de/meissa/federate-your-repos
License
Copyright © 2023-2026 meissa GmbH Licensed under the Apache License, Version 2.0 (the "License") Pls. find licenses of our subcomponents here