Security/Mentorships/MWoS/2014/online threat modeling tool

From MozillaWiki
< Security‎ | Mentorships‎ | MWoS‎ | 2014
Jump to: navigation, search
WinterOfSecurity logo light horizontal.png

Team

Introduction

We are a team of student web developers based in Atlantic Canada who love clean code and big challenges. We are working on a web-based threat modelling tool called SeaSponge.

GitHub repository Grading Criteria Project Folder

Members

Project

Description

Threat modelling is an important part of designing an application, and a threat model diagram is a very useful way to document the threats that apply to your application. Unfortunately there are a very limited number of threat modelling tools available, and most of those are restricted to specific platforms. This project is to create an online HTML5 application which will allow the user to easily create threat model diagrams online. It should be very easy to use, and allow the diagrams to be exported in the most common image formats. The graphical elements of the Microsoft Threat Modeling tool are a good example of the type of functionality required.

Scope

The scope of this project is to plan, design, and create an accessible & easy-to-use threat modeling tool.

Success Criteria

  • Build a fully-fledged web-based client-side tool for designing software architectures
  • Analyze element interactions based on STRIDE attributes, identify threat impact using DREAD, and generate security vulnerability reports
  • The tool should have a comparable amount of features and functionality to the Microsoft Threat Modelling Tool.
  • The tool should have well-bred documentation so that people can start using it.
  • Exporting/Importing from the Microsoft MDL format

Milestones

  • Initial Setup + Repository Ready (Early August)
  • Initial Planning/Idea-Generation/UI Design Stage (Mid-Septemeber)
  • Create Graph drawing interface (???)
  • Save/Export Graph feature (???)
  • Analyze STRIDE interactions and generate reports for end-user (???)
  • Create good documentation (both for users and developers) and a series of one-minute tutorial videos (???)
  • Spread the word! (???)

Technical Design

To keep things simple - our application is completely client-side. Users may export their projects and save them onto their hard drives (and load them later on), or they may save their projects onto local storage.

Software Description
Twitter Bootstrap A front-end framework used for clean design
jsPlumb A powerful HTML5 graph drawing toolkit
AngularJS Client-side MVC Framework for single-page web applications
CoffeeScript JavaScript with syntactic sugar

Updates

Group Meeting: July 31, 2014

Current Work
  • -
Blocking points
  • -
Discussion Points
  • Welcome to MWoS
  • Forms + Setup
  • Where to learn more about threat modeling (Book, Microsoft Videos)
Upcoming Work
  • Investigate Libraries to use
  • Sign Forms + Join Wiki
  • Decide Name for Project
  • Create Team Introduction
  • Decide time for regular meeting

Update: August 27, 2014

  • Wednesdays have been decided for the weekly meeting
  • Academic grading structure has been finalized by Dr. Lingras

Group Meeting: September 3, 2014

Current Work
  • We have looked into some security modeling things
  • School has just begun
Blocking points
  • -
Discussion Points
  • Getting Started
  • Where to learn more about threat modeling (Book, Microsoft Videos)
  • Investigate features
  • Importing from SDL is a crucial feature
Upcoming Work
  • Make list of all Features to add (get inspiration from Microsoft SDL Tool, ect)
  • Start creating UI mockups and software design

Group Meeting: September 10, 2014

Blocking points
  • -
Discussion Points
  • Current List of Features (still in progress)
  • Using Skype for communication
  • Agenda to be created by Mat
Upcoming Work
  • Finalize list of all Features by September 15th
  • Finalize UI mockups and software design by September 15th

Group Meeting: September 17, 2014

Blocking points
  • -
Discussion Points
  • Current List of Features looks good
  • Forget about saving to DropBox/Google Drive
Upcoming Work
  • Finish Scaffolding
  • Assign Tasks + Roles for project

Group Meeting: September 24, 2014

Finished so far
  • Scaffolding almost finished
Discussion Points
  • Getting help for importing the Microsoft File format
  • Using Slack
Upcoming Work
  • Finalize the Scaffolding
  • Assign roles for project

Group Meeting: October 1, 2014

Finished so far
  • Scaffolding almost finished
  • Coding conventions
Discussion Points
  • We will get access to Safari Books soon
  • Version 3 of Microsoft tool may be supportable, if not focus on 2014 only
  • People don't like modals, mostly removed from Firefox. People may not want to load application if they get there by mistake.
  • Multiple diagrams is very valuable, as we will see in the book
  • Stencils/Prefabs, test multiple layouts (tabs, dropdown, etc.) See Github issue
Upcoming Work
  • Finalize the Scaffolding
  • Find more template ideas for notes. See Github issue
  • Work on drag and drop. See Github issue
  • Start decomposing Microsoft .tm4 format

Group Meeting: October 8, 2014

Finished so far
  • Scaffolding almost finished
  • Coding conventions
Discussion Points
  • Safari books access should happen on next update
  • Focus on 2014 of microsoft tool only
  • Discussed Content Security Policy and the difficulty with backwards compatibility
  • Creating a video when scaffolding/UI is done to show how the app is going to work to get more feedback (Mozilla, Profs, etc.)
Upcoming Work
  • Finalize the Scaffolding
  • Find more template ideas for notes. See Github issue
  • Work on drag and drop. See Github issue
  • Continue decomposing Microsoft .tm4 format
  • Make the video mentioned above
  • Start reading into STRIDE and working on generating it aswell as reports

Group Meeting: November 5, 2014

Discussion Points
  • Physical books are en route
  • Modularize threat models to be elements in bigger models
  • Implement tag system for elements, connections, and boundaries
  • Templating systems/notes will help give greater context (valuable). See Github issue
Upcoming Work
  • Continue decomposing Microsoft .tm4 format
  • Create a draft file format
  • Create a new document proposal for timeline and features

Group Meeting: November 19, 2014

Discussion Points
  • Use data-url and configured MIME type instead of File API
  • Look into XSL Transformations instead of writing XML parser
  • Schema changes

References

  1. Threat Modeling Tool Principles
  2. Threat Threat Modeling (Microsoft Book)
  3. The STRIDE Threat Model
  4. DREAD: Risk assessment model
  5. Threat Modeling Series from MDN
  6. Threat Modeling Lessons from Star Wars (and elsewhere)
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Mentorships/MWoS/2014/online_threat_modeling_tool&oldid=1066018"