This repository has been archived by the owner on Aug 25, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 138
/
reply_0067.md
69 lines (64 loc) · 4.35 KB
/
reply_0067.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
- Alignment
- https://www.threatmodelingmanifesto.org/
- Threat Model Cheatsheet from OWASP mentions defining the dataflow
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md#define-data-flow-over-your-dfd
- https://github.com/OWASP/threat-dragon/issues/437
- Data Flow serialization is our current Open Architecture
- We will evolve over time
- Let's make sure that we include all the items which we would like to see in a manifest (manifest metadata)
- [ ] schema
- [ ] format name
- [ ] version
- https://github.com/intel/dffml/issues/1287
- 2022-06-11 - state of the art - time travel, system context
- Upstream
- Past
- Overlay
- Present
- Orchestration
- Takes us to the future
- The Open Architecture (aka Alice) is
- A proxy for domain specific representations of architecture
- The metadata to help us understand each domain specific representation of architecture is called the manifest metadata
- The term manifest is used to describe a domain specific representation of architecture
- Each node in the an Open Architecture graph is a manifest
- The top level document aka Alice aka the Open Architecture itself is a manifest
- Living Threat Models Are Better Than Dead Threat Models
- https://us06web.zoom.us/j/89207603012?pwd=bUF2c2Q1WWthUm01WS9hREZsOVBQQT09
- Demo
- [ ] Show generation of THREATS.md using `alice threats`
- [ ] Explain Open Architecture (above)
- [ ] Talk to Manifest Schema (https://github.com/intel/dffml/discussions/1369#discussioncomment-2603269)
- [ ] Explain demo (below)
- [ ] Run demo again
- [ ] Head to mention section and mention future work and how to get involved
- TODO
- [ ] Initial Threat Dragon Source
- 7969de3a0dc84ba1ddaef605744072e1cdaecb9f
- [ ] Add manifest metadata to Threat Dragon Source Records via `extra`
- 51799da78a56f3557101fed0524c571fca0ce195
- [ ] `TheatsMarkdownSource` which outputs a feature within a record which is an Open Architecture (a System Context, a dataflow, remember a dataflow alone is just a system context where the upstream is the dataflow and everything else is unset) to a `THREATS.md` file
- [ ] Merge with Record with image data of screenshot from threat dragon
- https://user-images.githubusercontent.com/5950433/173202578-d2d5495b-8c4a-4383-9577-0e807ef442eb.png
- [ ] Modify DataFlow to include manifest metadata
- [ ] Use Data Flow Preprocessing Source as the merge source which pulls from the threat dragon source and converts to a dataflow
- [ ] Initial Open Architecture Source where we use `dffml service dev export` programmatically similarly to what was done with CVE Bin Tool to output (https://github.com/intel/cve-bin-tool/blob/7cb90d6009d047dfc08dead28110f2314d8c016a/cve_bin_tool/output_engine/threats.py#L88-L143) to take a feature which is a dataflow and output it to a JSON file
- [ ] Record demo (copy out a slice from asciinema, ensure we record with a terminal at 1080p)
- [ ] Mention:
- [ ] The Open Architecture is currently this mostly contained within this thread. Please comment within the thread and it will be converted to a PR soon.
- [ ] Mention we are meeting in July and to comment in this thread for to get an invite (link will also be posted there)
- [ ] https://github.com/intel/dffml/discussions/1369#discussioncomment-2929904
- [ ] We are hoping the working group will land under the OpenSSF. We've engaged with them previously about aligned work and are waiting until after our first meeting in July to ensure we are all aligned before engaging further ("we have not yet discussed defining the SPDX Abstract Syntax Tree" [David Kemp] - Could this be related?)
- Future Work
- CVE Bin Tool does scan, outputs open architecture
- https://github.com/intel/cve-bin-tool/pull/1698
- Optionally runs any auditors via overlays
- Overlays can be arbitrarily layered
---
- [ ] Docker compose analysis to supplement / generate same as `good.json`
- [ ] SPDX 3.0 security profiles for policy (input network / umbrella / gatekeeper / open policy agent?)
- [ ] VEX as links?
- https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf
---
- The following is the bad threat model John W made
