Agile Threat Modeling as Code
Project description
tmac
Agile Threat Modeling as Code
Install
pip install tmac
How to use
python3 tmac.py
#!/usr/bin/env python3
from tmac import (Asset, DataFlow, DataStore, Machine, Model,
Process, Protocol, Score, TableFormat, Technology)
from tmac.plus import Browser
model = Model("Login Model")
user = Browser(model, "User")
web_server = Process(
model, "WebServer",
machine=Machine.VIRTUAL,
technology=Technology.WEB_WEB_APPLICATION,
)
login = DataFlow(
model, "Login",
source=user,
destination=web_server,
protocol=Protocol.HTTPS,
)
login.transfers(
"UserCredentials",
confidentiality=Score.HIGH,
integrity=Score.HIGH,
availability=Score.HIGH,
)
database = DataStore(
model, "Database",
machine=Machine.VIRTUAL,
technology=Technology.DATABASE,
)
authenticate = DataFlow(
model, "Authenticate",
source=web_server,
destination=database,
protocol=Protocol.SQL,
)
user_details = Asset(
model, "UserDetails",
confidentiality=Score.HIGH,
integrity=Score.HIGH,
availability=Score.HIGH,
)
authenticate.transfers(user_details)
print(model.risks_table(table_format=TableFormat.GITHUB))
Output:
SID | Severity | Category | Name | Affected | Treatment |
---|---|---|---|---|---|
CAPEC-63@WebServer | elevated | Inject Unexpected Items | Cross-Site Scripting (XSS) | WebServer | mitigated |
CAPEC-100@WebServer | high | Manipulate Data Structures | Overflow Buffers | WebServer | unchecked |
CAPEC-101@WebServer | elevated | Inject Unexpected Items | Server Side Include (SSI) Injection | WebServer | mitigated |
CAPEC-62@WebServer | high | Subvert Access Control | Cross Site Request Forgery | WebServer | unchecked |
CAPEC-66@WebServer | elevated | Inject Unexpected Items | SQL Injection | WebServer | unchecked |
... | ... | ... | ... | ... | ... |
Jupyter Threatbooks
Threat modeling with jupyter notebooks
Generating Diagrams
model.data_flow_diagram()
High level elements (tmac/plus*)
from tmac.plus_aws import ApplicationLoadBalancer
# ...
alb = ApplicationLoadBalancer(model, "ALB", waf=True)
Custom threatlib
from tmac import Model, Threatlib
threatlib = Threatlib()
threatlib.add_threat("""... your custom threats ...""")
model = Model("Demo Model", threatlib=threatlib)
Examples
See more complete examples.
Prior work and other related projects
- pytm - A Pythonic framework for threat modeling
- threagile - Agile Threat Modeling Toolkit
- cdk-threagile - Agile Threat Modeling as Code
- OpenThreatModel - OpenThreatModel
License
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tmac-0.0.2.tar.gz
(25.3 kB
view hashes)
Built Distribution
tmac-0.0.2-py3-none-any.whl
(30.3 kB
view hashes)