Elevation of Privilege (EoP) is the easy way to get started and learn threat modeling. It is a card game that developers, architects or security experts can play.
The deployed version can be found here: https://elevation-of-privilege.herokuapp.com/
There are two components that need to be started in order to run the game.
- Server
- UI/Client
The server can be started using:
npm run server
There are 3 koa apps that bind on the respective ports:
| Application | Description | Environment Variable | Default |
|---|---|---|---|
| Server | The game server for boardgame, exposes socket.io endpoints | SERVER_PORT |
8000 |
| Lobby API | Internal API for lobby operations, should not be exposed publicly | INTERNAL_API_PORT |
8002 |
| Public API | Public API to create games and retrieve game info | API_PORT |
8001 |
The UI can be started using:
npm run start
The UI can also be built and served statically, keep in mind that the values of the port numbers will be hard coded in the generated files.
To start a dockerized version of the EoP game use
docker-compose up --buildThis would start EoP on port 8080 and would be accessible at http://localhost:8080/.
The docker-compose setup starts two container:
threats-client: runningnginxas a reverse proxy and serving the react applicationthreats-server: running thenodejsbackends: public API and game server
- Spectator mode
- UI fixes (optimizations, smaller screens)
- Upload an image instead of a model. Might need restructuring as we rely on diagram components + reporting would change
- Optimize the card sprite sheet (can look at SVGs)
- Improve test coverage, write tests for possible game states and moves
- Refactor and have reusable components
- Optimize component renders through
shouldComponentUpdate - Write contributing guide
As of boardgame.io v0.39.0, MongoDB is no longer supported as a database connector. There is currently no external library providing this functionality, however there is an implementation posted on github. This class implements the abstract functions in this base class.
MongoDB has also been removed as a dependency so must be installed by running
npm install mongodb
An equivalent to ModelFlatFile should also be implemented. This extends the FlatFile database connector to allow the model to be saved to the database. The functions this implements are setModel, which allows the model to be set, and fetch, which is also overwritten to allow the model to be read in addition to the other properties. The implementations of these for the FlatFile object are available in ModelFlatFile.js
Once the database connector is fully implemented, it can be used instead of a FlatFile by changing the object used in config.js. Just replace ModelFlatFile with the name of the mongoDB database connector.
The card game Elevation of Privilege was originally invented by Adam Shostack at Microsoft and is licensed under CC BY 3.0. The EoP Whitepaper written by Adam can be downloaded which describes the motivation, experience and lessons learned in creating the game.
The card game Cornucopia was originally developed by the OWASP Foundation. In this application a slightly modified version of the original card game is used. This can be found in the subfolder cornucopiaCards/. As the original, the modified version is licensed under CC BY-SA 3.0.
The motivation for creating this online version of the game at Careem was due to a large number of teams working remotely across several geographies and we wanted to scale our method of teaching threat modeling to our engineering teams.
The game is built using boardgame.io, a framework for developing turn based games. The graphics, icons and card images used in this version were extracted from the original card game built by Microsoft.
Made with ๐ at Careem and TNG Technology Consulting
![depfu[bot] avatar](https://avatars.githubusercontent.com/in/715?v=4 "depfu[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent