Security/Mentorships/MWoS/2014/online threat modeling tool

From MozillaWiki
< Security‎ | Mentorships‎ | MWoS‎ | 2014
Revision as of 00:45, 5 August 2014 by Matk (talk | contribs) (→‎Milestones)
Jump to navigation Jump to search
WinterOfSecurity logo light horizontal.png

Team

Introduction

We are a team of student web developers from Atlantic Canada who love clean code and big challenges. We are working on a web-based threat modelling tool called SeaSponge.

The GitHub repository for this project is available here.

Members

  • Mathew Kallada
  • Glavin Wiechert
  • Joel Kuntz
  • Sarah MacDonald
  • Professor: Dr. Pawan Lingras
  • Mozilla Advisor: Curtis Koenig

Project

Description

Threat modelling is an important part of designing an application, and a threat model diagram is a very useful way to document the threats that apply to your application. Unfortunately there are a very limited number of threat modelling tools available, and most of those are restricted to specific platforms. This project is to create an online HTML5 application which will allow the user to easily create threat model diagrams online. It should be very easy to use, and allow the diagrams to be exported in the most common image formats. The graphical elements of the Microsoft Threat Modeling tool are a good example of the type of functionality required.

Scope

The scope of this project is to plan, design, and create an accessible & easy-to-use threat modeling tool.

Success Criteria

  • Build a fully-fledged web-based client-side tool for designing software architectures
  • Analyze element interactions based on STRIDE attributes, identify threat impact using DREAD, and generate security vulnerability reports
  • The tool should have a comparable amount of features and functionality to the Microsoft Threat Modelling Tool.
  • The tool should have well-bred documentation so that people can start using it.

Milestones

  • Initial Setup + Repository Ready (Early August)
  • Initial Planning/Idea-Generation/UI Design Stage (Mid/End-August)
  • Create Graph drawing interface (???)
  • Save/Export Graph feature (???)
  • Analyze STRIDE interactions and generate reports for end-user (???)
  • Create good documentation (both for users and developers) and a series of one-minute tutorial videos (???)

Technical Design

To keep things simple - our application is completely client-side. Users may export their projects and save them onto their hard drives (and load them later on), or they may save their projects onto local storage.

Software Description
Twitter Bootstrap A front-end framework used for clean design
jsPlumb A powerful HTML5 graph drawing toolkit
EmberJS Client-side MVC Framework for single-page web applications

Updates

Group Meeting: July 31, 2014

Current Work
  • -
Blocking points
  • -
Discussion Points
  • Welcome to MWoS
  • Forms + Setup
  • Where to learn more about threat modeling (Book, Microsoft Videos)
Upcoming Work
  • Investigate Libraries to use
  • Sign Forms + Join Wiki
  • Decide Name for Project
  • Create Team Introduction
  • Decide time for regular meeting

References

  1. Threat Modeling Tool Principles
  2. Threat Threat Modeling (Microsoft Book)
  3. The STRIDE Threat Model
  4. DREAD: Risk assessment model
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Mentorships/MWoS/2014/online_threat_modeling_tool&oldid=1002517"