Add threat model capabilities to CycloneDX / TM-BOM

[stevespringett]

There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for natively representing threat models in CycloneDX.

Currently, threat models can be represented via an external reference and the threat model can either point to a URL and be inline via a data component. This allows capturing everything from OTM and MS TMT output.

There has recently been a desire by tool vendors to use OTM as a potential short-term solution and leverage CycloneDX as a long term solution. This would allow, for example, a native threat model to be represented in CycloneDX which would describe any component or service such as an application, AI model, or web service.

BOM-Link would be used to point the existing threat-model external reference to the threat model, either in the same BOM or in a dedicated TM-BOM.

This ticket is to track the proposed enhancement to the core specification that would add:

• Threats
• Weaknesses
• DFDs
• Attack trees with monetary values
• Methodology agnostic - support for STRIDE, PASTA, LINDDUN, etc
• Support for security, privacy, safety, and process threat modeling

[adamshostack]

Scope is important -- I think adding monetary values to a TM is likely a bridge too far.

[adamshostack]

Attack trees are a representation of relationships between threats (and possibly mitigations and other stuff) and not a fundamental unit.

[adamshostack]

More generally, I think that a threat model may not be the thing you want to track in a BOM. I think what I want as a consumer is not the analysis (threat modeling as a verb) or the results (threat modeling as a noun), but the things that I, as a consumer care about: the accepted/transferred/residual dangers associated with the thing. I think that includes some elements like:

• Network connections (listening ports, outbound connections, the latter IETF MUD is interesting)
• Files accessed (inside my area, system files, possibly tainted opened; read/write opens or permissions needed)
• setuid files installed

But the transferred risks are more broad.

[jgadsden]

We have a some proof of concepts for TMBOM:

• TMBOM (pytm) based on the tm.py on pytm website
• TMBOM (OTM) using the OTM example threat model
• Multi diagram TMBOM that has a combined threat model containing two diagrams / models

[jgadsden]

The TMBOMs conforms to the CycloneDX schema if we add the following:

% diff bom-1.6.schema.orig.json bom-1.6.schema.json
850c850,851
<             "cryptographic-asset"
---
>             "cryptographic-asset",
>             "threat-model"
865c866,867
<             "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."
---
>             "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.",
>             "threat-model": "A threat model including threats, remediations, vunerabilities and model components."