Threagile: Agile Threat Modeling
Threat Analysis is not a new concept. It's being around since the 90s. Threat Modeling is becoming more popular thanks to the DevSecOps movement. There are several other open-source Modeling tools such as OWASP Threat Dragon and Microsoft Threat Modeling Tool. Threagile is an agile and open-source tool for Threat Modeling. The cool thing about Thredagile is that the tool is based on declarative modeling using YAML files. Threagile is built with Go language. One big advantage of open source software is that we can always look at the source code and even change it if we need it(i.e Understand how the RAA score works). Security awareness is something that still needs to be work with engineering and product teams. This tool is a great way to tear down walls between InfoSec and engineering. Threagile is also dockerized making it very easy to use and play with it. Easily you can version the YAML file in your service repository and generate the reports as part of your Jenkins Build process for instance. Automation is the right way to go, especially at scale. Today I want to cover security Threat modeling a bit more and also show a video I make playing with Threagile as well. So let's get started.
Benefits of Threat Analysis
There are several benefits from doing this practice as a regular engineering task. First of all, it helps to engineer acquire security ownership facilitating and making the interactions with InfoSec more natural and more organic, and proactive over time. Another great effect is increasing security consciousness in engineering and product teams.
Threat Analysis provides a way to identify, enumerate, understand and communicate security improvements. It's also useful in order to prioritize security improvements. In agile things are as much cross-functional as possible. It's common in agile to have engineers doing Architecture, Design, QA, Testing, and even DevOps activities, the next step is to have engineers doing security activities proactively.
Methods
There are several methods out there such as STRIDE, PASTA, LINDDUN, CVSS, Attack Trees, Persona Non-Grata, Security Cards, hTMM, Trike, VASTE, OCTAVE, and others. STRIDE from Microsoft(1999) is one of the most popular.
STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. For each Threat, there are mitigation approaches.
Threagile uses the STRIDE method. Let's see Threagile in action.
The Video
The Source Code
I hope you guys like it. Take care.
Cheers,
Diego Pacheco