Risk: Public exposure and/or access of cloud based assets like S3/S3 ACLs/SQS due to a misconfigured Policy that is containing Wildcards leading to data leakage or temparing of data and/or services

Remidiation: Audit of the Policies, reducing rights to a bare minimum, label assets as public and make sure the assets are isolated

When using the schema.json in VS Code https://threagile.io/schema# on line 2 throws an error:
Unable to load schema from 'https://threagile.io/schema': Forbidden. The server is refusing to respond.
I also get the same error when attempting to access the same link from a browser https://threagile.io/schema which makes me believe that this part of the website is either no longer up/supported.

Please advise if there is a workaround for this.

Problem Statement:
Currently, the definition and management of risk rules, whether built-in or custom, are entrenched within the codebase. This structure poses challenges for easy extensibility within Threagile, particularly concerning the addition of new risk rules.

Proposed Solution:
To introduce greater flexibility and ease of management, we can implement a dedicated risk rule engine within Threagile. This engine will operate by reading and validating risk rules from a YAML file. During startup, Threagile will be initialized with the defined risk rules.

Advantages:

1. Code-Agnostic Modifications: Eliminating the need for code alterations to create or modify risk rules.
2. Enhanced Extensibility: Facilitating simpler extensions and modifications within Threagile's functionality.
3. Seamless Deployments: Avoiding the necessity for new software versions to incorporate changes. However, this may necessitate a new feature – versioning risk rules for monitoring and managing alterations effectively.

This approach aims to decouple the definition of risk rules from the codebase, offering a more flexible and scalable architecture within Threagile.

Hello. I'd like to be able to generate OTM from Threagile. For example, adding an option for --generate-otm would be ideal.

The Open Threat Model format is still early in development, but its goals are to standardize how data from threat models are represented, providing interoperability between different systems and tools.

Per the readme:

OTM allows both humans and computers to understand what are the components of a system, how are they distributed, the security risks that could be exposed to attackers and the mitigations that could be implemented to avoid those vulnerabilities.

OTM can be used to document your system and threat model, to keep you threat model aware of the changes that happens in the system and many other use cases.

Go's plugin package seem to be a little like an "unloved child" in the Go community. And it is not (yet?) ready for Windows. Windows is not my problem but it might lock out quite some users. And it interferes with Go's sore feature of platform independence.

Apart from that I don't see the benefit. The RAA package is mandatory in the current theragile exe. You cannot run threagile -raa-plugin "". It simply fails with plugin.Open(""): realpath failed. So what's the point in making RAA being a plugin if it must be there in the end. It would be much simpler with the default static linking of Go.

sent you a mail with some issues, e.g.

report.go line 5549 needs an uni() call :)

maybe i find the time to find the other problems ...

Hello everyone, i have some problems to configure the schema. i get a message from intelij that the schema could not be downloaded due to a 403 error. Besides that i am not sure how to import the schema.json to the Threagile schema in the Youtube video. Is there a detailed description?
Many thanks in advance

To better track progress and also when do I need to update my sources, it would be nice to have tagged releases in GitHub. Even tagged pre-releases would help. I'm not asking for a binary release, just a tag with the source as a tar ball under the release section. There are probably more advantages to that.

Issue

When running threagile -list-types, the output does not includes the list of accepted encryption types.

Type

Bug

Expected Results

$ docker run --rm threagile/threagile -list-types

  _____ _                          _ _
 |_   _| |__  _ __ ___  __ _  __ _(_) | ___
   | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
   | | | | | | | |  __/ (_| | (_| | | |  __/
   |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                             |___/
Threagile - Agile Threat Modeling


Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)
Version: 1.0.0 ()


The following types are available (can be extended for custom rules):

  Quantity: [very-few few many very-many]

  Confidentiality: [public internal restricted confidential strictly-confidential]

  Criticality (for integrity and availability): [archive operational important critical mission-critical]

  Technical Asset Type: [external-entity process datastore]

  Technical Asset Size: [system service application component]

  Authorization: [none technical-user enduser-identity-propagation]

  Authentication: [none credentials session-id token client-certificate two-factor externalized]

  Usage: [business devops]

  Data Format: [json xml serialization file csv]

  Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]

  Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]

  Technical Asset Machine: [physical virtual container serverless]

  Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]

  Data Loss Probability: [improbable possible probable]

  Risk Severity: [low medium elevated high critical]

  Risk Exploitation Likelihood: [unlikely likely very-likely frequent]

  Risk Exploitation Impact: [low medium high very-high]

  Risk Function: [business-side architecture development operations]

  Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]

  STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]

  Encryption: [none transparent data-with-symmetric-shared-key data-with-asymmetric-shared-key data-with-enduser-individual-key]

Actual Results

```bash
$ docker run --rm threagile/threagile -list-types

  _____ _                          _ _
 |_   _| |__  _ __ ___  __ _  __ _(_) | ___
   | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
   | | | | | | | |  __/ (_| | (_| | | |  __/
   |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                             |___/
Threagile - Agile Threat Modeling


Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)
Version: 1.0.0 ()


The following types are available (can be extended for custom rules):

  Quantity: [very-few few many very-many]

  Confidentiality: [public internal restricted confidential strictly-confidential]

  Criticality (for integrity and availability): [archive operational important critical mission-critical]

  Technical Asset Type: [external-entity process datastore]

  Technical Asset Size: [system service application component]

  Authorization: [none technical-user enduser-identity-propagation]

  Authentication: [none credentials session-id token client-certificate two-factor externalized]

  Usage: [business devops]

  Data Format: [json xml serialization file csv]

  Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]

  Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]

  Technical Asset Machine: [physical virtual container serverless]

  Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]

  Data Loss Probability: [improbable possible probable]

  Risk Severity: [low medium elevated high critical]

  Risk Exploitation Likelihood: [unlikely likely very-likely frequent]

  Risk Exploitation Impact: [low medium high very-high]

  Risk Function: [business-side architecture development operations]

  Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]

  STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]

Are you building on Win?

go: downloading github.com/Threagile/threagile v0.0.0-20201115181100-9a846523ea83
go: github.com/Threagile/threagile upgrade => v0.0.0-20201115181100-9a846523ea83
go get: github.com/Threagile/[email protected]: parsing go.mod:
	module declares its path as: github.com/threagile/threagile
	        but was required as: github.com/Threagile/threagile

Why do none of the readme examples work?

docker run --rm -it --platform=linux/amd64 -v "$(pwd)":app/work threagile/threagile create-stub-model -output app/work
docker: Error response from daemon: invalid volume specification: '/host_mnt/Users/smoore/Develop/sre-services/threagile/docker:app/work': invalid mount config for type "bind": invalid mount path: 'app/work' mount path must be absolute.
See 'docker run --help'.

So I fix the path:

docker run --rm -it --platform=linux/amd64  -v "$(pwd)":/app/work threagile/threagile create-stub-model -output /app/work                                                                  1 ↵
2024/04/23 12:55:43 Unable to read/parse model yaml: open threagile.yaml: no such file or directory

So I add an example:

docker run --rm -it --platform linux/amd64 --shm-size=256m -v "$(pwd)/threagile.yaml":"/app/threagile.yaml"  threagile/threagile create-stub-model -output /app/work                     130 ↵
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories

The documentation needs to be accurate.

Hallo Christian,

ich habe mir Threagile mal näher angeschaut. Cool 👍

Dann habe ich mal versucht, ein neues built-in Risk einzuführen:
missing-authorization-rule.go.txt

ich habe einen vorschlag:

anstelle:
authentication: credentials
authorization: enduser-identity-propagation

schwebt mir etwas vor wie:
authentication: credentials
identity: enduser-identity-propagation oder workload-identity bzw. technical-user
authorization: rbac, abac, method-level, data-level

mit anderen worten: einführung einer property identity und einführung neuer enums für authorization

Was hälst Du davon ?

VG Rocco

Have you ever considered generating html reports in addition to the pdf reports?

Currently I tried to use threagile and created a model form the stub. When I try to execute threagile on that model I get the following error:

Parsing model: /app/work/threagile-model.yaml 2020/11/13 09:59:42 Unknown 'machine' of technical asset: Unknown 'machine' of technical asset:

I have a few technical assets in my model, so it would be handy to get the line number of the model file in the error message.

Risk: All data within cloud storage might be encrypted and can lead to DoS by deleting the key

Remidiation: Increase deletion time of Keys (e.g. KMS) and bring up a watch of possibale deletion of keys. Create an alerting for non tagged ressources marked for deletion or stop the deletion process by use of AWS Config rules

I create a threat model and am in the middle of creation, now I need to clean out all stuff i forget. During this journey I encounter some crashes (see #65). Now I have one I can not easily fix myself:

[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x6d818a]

goroutine 1 [running]:
github.com/threagile/threagile/pkg/security/risks/builtin.(*ServerSideRequestForgeryRule).createRisk(0xcbd480?, 0xc0001a4d88, 0xc0004c1760, 0xc000304ea0)
        /app/pkg/security/risks/builtin/server-side-request-forgery-rule.go:92 +0x70a
github.com/threagile/threagile/pkg/security/risks/builtin.(*ServerSideRequestForgeryRule).GenerateRisks(0x160b560, 0xc0001a4d88)
        /app/pkg/security/risks/builtin/server-side-request-forgery-rule.go:56 +0x305
github.com/threagile/threagile/pkg/model.applyRiskGeneration(0xc0001a4d88, 0xc00026a030, {0x160b560, 0x0, 0x8?}, {0xf45468, 0xc0000129fe})
        /app/pkg/model/read.go:97 +0x2a2
github.com/threagile/threagile/pkg/model.ReadAndAnalyzeModel(0xc0004e1188, {0xf45468, 0xc0000129fe})
        /app/pkg/model/read.go:56 +0x539
github.com/threagile/threagile/internal/threagile.(*Threagile).initAnalyze.func1(0xc0004bcc00?, {0xda0c41?, 0x4?, 0xda0c45?})
        /app/internal/threagile/analyze.go:21 +0xec
github.com/spf13/cobra.(*Command).execute(0xc0004ec608, {0xc000467240, 0x4, 0x4})
        /go/pkg/mod/github.com/spf13/[email protected]/command.go:983 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc0004ec308)
        /go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        /go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
github.com/threagile/threagile/internal/threagile.(*Threagile).Execute(0xc0006bef00)
        /app/internal/threagile/threagile.go:16 +0x25
main.main()
        /app/cmd/threagile/main.go:12 +0x32

I added (in pkg/security/risks/builtin/server-side-request-forgery-rule.go

	// report error if no trustboundary found, this does not fix the crash but at least I know where to fix stuff
	if input.TrustBoundaries[technicalAsset.GetTrustBoundaryId(input)] == nil {
		_, _ = fmt.Fprintf(os.Stderr, "missing trust boundary for technical asset: %q\n", technicalAsset.Id)
	}

before:

	// adjust for cloud-based special risks
	if impact == types.LowImpact && input.TrustBoundaries[technicalAsset.GetTrustBoundaryId(input)].Type.IsWithinCloud() {
		impact = types.MediumImpact
	}

This does not fix the crash but at least I got a hint what I need to fix.

I think the bug is somewhere else, there should be some kind of sanatize method after the parse that checks for the existance of technical assets inside of trust boundaries, and even more if there are more dependencies. or the createRisk methods need a way to report an error.

I'm running into an interesting error. When I use the Dockerfile to build threagile, the application is running without any issues. However, if I clone the repo locally, then build it using the Dockerfile.local, I see the error
{"error":"graph rendering call failed with error:fork/exec /app/render-data-flow-diagram.sh: no such file or directory"}

Any ideas why that might be?

What do you think of this @cschneider4711 https://github.com/ChillAndImprove/ThreagilePlus ?

I would like to contribute adding the Okta integration for the threatagile. Can you please provide me some hints?

It would be nice to have some means to localize the templates and risks in the go-files. This would allow us to create reports in other languages.

Hi, I've been looking through the code and some attributes, like protocol, are used in functions that are in the logic for different risks. But for size of technical asset (system, service, application, component), I can't find them being used anywhere. I see them declared in different technical assets in the add-build-pipeline-macro.go and add-vault-macro.go but don't see them used in code or impact threats in anyway? Any advice appreciated. Thanks!

Create a "protocols" folder and a "technicalassettechnology" folder. In there define the protocols and assets as ,yaml files (one for each protocol/asset.

The code for the protocols/assets can then be removed from types.go

That way everyone can extend Threagile in a simple way. And especially protocols and TechnicalAssets are growth-candidates.

Currently those are defined in the code. And there are several functions defining the features of those. isEncrypted is an example. This can just be a bool value for the protocol description yaml.

The YAML file can grow very fast when while you add more details to your threat model.

It will be great to:

• Add an import feature for having complementary YAML files that can be added to the main YAML file. YAML by default does not support imports.

Or

• Create a CDK to define our model as code.

Summary

There is a typo in the PDF report when displaying the impact analysis "Missing Cloud Hardening" risk (page 8; Impact Analysis of X Remaining Risks in Y Categories).

Expected

If this risk is unmitigated, attackers might access cloud components in an unintended way.

Actual

If this risk is unmitigated, attackers might access cloud components in an unintended way and .

Root Cause

The hard-coded string used to define the risk category contains the typo, see here:

This is a great tool!

To help increase adoption of this tool, consider tagging the project when it is at a stable point and building binary artifacts in multiple OSes and architectures, then adding these binary artifacts to the Releases section of this repository. Then people don't need to compile the project with Go in order to use this tool. All they have to do is go to https://github.com/Threagile/threagile/releases and download the ZIP for their os/arch.

It would be beneficial to allow more then one author per model.

A superset of YAML came up, and it has a go-sdk : https://pkl-lang.org/

Interesting?

Hello.

I'd like to put up a pull request. I have it ready to go.
I just need push up a few lines of code to first fix fix redundant code in your script,
Then fix a portion of your docker file and finally demonstrate how this is supposed to be done.

Let me know how to proceed.

Kind Regards,
Chris

It would be great to show communication links passing through proxies - e.g. by adding a "via" field (or even list) to the communication_links entries.

This issue is to track the creation of aforementioned documentation

risks.json is a great way to visualize output changes in PRs (if Threagile output is stored in git).

There should be an option to pretty-print that output for easier reviews.

Risk: Misconfigured Cross Account Access (Account A -> Account B) can lead to a takeover of another account and enables an attacker to move lateral and compromise a multi tenant setup and break isolation of VPCs/Accounts

Risk: EC2 AMI/EBS/RDS/ Snapshots that contain an "isPublic = true" are shared globally > leading to information disclosure/leakage. If f.e. the shared AMI contains crediantials which were unintentional baked into the image

Remidiation: Establish an AWS Config rule that revokes all public sharing cababilities, make audits of the configuration