Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Demo #1

Closed
1 task
johnandersen777 opened this issue Jun 10, 2022 · 1 comment
Closed
1 task

Demo #1

johnandersen777 opened this issue Jun 10, 2022 · 1 comment
Assignees
@johnandersen777

Comments

@johnandersen777
Copy link
Collaborator

johnandersen777 commented Jun 10, 2022
edited
Loading

  • CVE Bin Tool PR
  • Excited about living threat models and their applications to help us keep our applications secure and understand if our code is doing what we think it's doing!
  • About John^2
    • Analysis of robustness of security posture
  • Demo
    • Good and bad threat models to THREATS.md
  • John W
    • auditor.py good.json
    • auditor.py bad.json
      • Finds issues and maps to CVSS
    • THREATS.md
  • Need to define a domain specific language
  • If we can get get people to open source their threat models, we'll be able to understand how secure dependent projects are based on their usage (context)
  • Demo the creation of an LTM
    • Docs on how to extend
  • Call to action of defining the language
    • Community, flexible enough
    • As long as you speak schema XYZ then you can build visualization
    • How to deal with false positives (overlays for triage)
  • We understand this will not be easy, we know what it means to scan code, or third party stuff with CVEs, that might be an overlay, if it doesn't apply to you don't apply
  • John Andersen (15 minutes)
    • Demo
      • 1 or two threats in the threat matrix
    • Overlays
    • Open Architecture Working Group
      • Mention
  • Take threat model from good/bad
  • Operation and dataflow as possible schema, make ADRs for each
    • Show how we represent good/bad using the open architecture
  • Augment with scan data
    • Enumerate binaries found
    • Show how we represent these using the open architecture
  • Map classification wise to components within the threat model
  • Produce warnings and THREATS.md
  • Take manually generated threat model (good.json/bad.json) and produce open architecture
  • CVE Bin Tool does scan, outputs open architecture
  • Alice takes both architectures and outputs whatever format we want via whatever overlays we apply
    • THREATS.md by combining the two
    • She optionally runs any auditors via overlays
  • Overlays can be arbitrarily nested
  • Take manually generated threat model (good.json/bad.json) and produce open architecture
  • Alice takes both architectures and outputs whatever format we want via whatever overlays we apply
    • THREATS.md by combining the two
    • She optionally runs any auditors via overlays
  • Overlays can be arbitrarily layered
  • Future work
    • CVE Bin Tool does scan, outputs open architecture
@johnandersen777 johnandersen777 self-assigned this Jun 10, 2022
@johnandersen777 johnandersen777 changed the title Update THREATS.md and corresponding slide with output from cve-bin-tool Demo Jun 11, 2022
@johnandersen777
Copy link
Collaborator Author

Closed via https://github.com/johnlwhiteman/living-threat-models/blob/main/demo/ALICE.rst in c027d4e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnandersen777 johnandersen777

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnandersen777