Author Topic: Any plans to add a Threat Modeling feature?  (Read 4430 times)

Tom C

  • EA Novice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Any plans to add a Threat Modeling feature?
« on: October 15, 2010, 12:28:37 am »
We are in the beginning stages of developing a threat modeling process for incorporating into our SDLC. We have looked at a couple of tools available from Microsoft (SDL and TAM) and they both have limitations as far as supporting multi user development.

EA has Data Flow Diagrams, but nothing for constructing an entire threat model. Also, the DFD's do not have an element to support drawing a Trust Boundary.

Does EA have any plans to develop a feature that will support developing Threat Models?

Thanks in advance.
Tom

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 11176
  • Karma: +410/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: Any plans to add a Threat Modeling feature?
« Reply #1 on: October 18, 2010, 04:36:42 pm »
Tom,

Do you mean threat or thread ?
And in either case, could you explain in a bit more detailed what this feature should be like? It could be that your requirements can already be met with existing functionality.

Geert

Frank Horn

  • EA User
  • **
  • Posts: 535
  • Karma: +1/-0
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #2 on: October 18, 2010, 07:54:57 pm »
Sounds threatening...

Tom C

  • EA Novice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #3 on: October 19, 2010, 12:24:29 am »
Geert,

I was referring to Threat modeling, which Microsoft has incorporated into their SDLC. They have developed a Security Development Lifecycle (SDL), which includes developing Threat Models for applications.

More information can be found at www.microsoft.com/sdl.

The tool they have developed is tied into Visio, which is single user file based tool and we would like to construct a Threat Model using EA. I am still learning about threat modeling so this information may not be a very good explanation of what is needed.

Basically, you model your application using a Data Flow Diagram (DFD), which EA supports with the exception of being able to draw Threat Boundaries. These are dashed lines that are an arc and any data flow (represented by an EA connector) that intersects a threat boundary needs to be identified as a threat. This is just one of the many features that needs to be provided by the threat model. There are classifications of the threat (acronym STRIDE) which have defined mitigation techniques applied based on the asset that is associated with the data flow (connector). These mitigations are provided on the threat model documentation that is generated from the model.

Each of the EA element types in a DFD is considered as an Asset, which needs to have properties assigned (probably EA Tagged Values) and reported on (which could be handled by creating a document template in EA).

Again, I am still learning about this and there are several features that could be automated with a tool such as EA, but it would be nice if EA could take a look at the features needed and provide something out of the box. Microsoft developed the SDL and the tooling back in 2006-2007 and hasn't done much since then and the tool defintlely does not support multi-user like EA. It would take some commitment on Sparx's part to analyze the process to be able to provide this type of feature and my post was just to inquire if Sparx had anything like this on their radar.

Thanks for your reply and interest.
Tom

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 11176
  • Karma: +410/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: Any plans to add a Threat Modeling feature?
« Reply #4 on: October 19, 2010, 12:41:12 am »
Tom,

Whether or not Sparx will implement a feature like this depends mainly on the number of requests.
Make sure you don't forget to send a feature request to Sparx using the link on the bottom of this webpage.
Furtermore, if you can't wait for Sparx, you could always try do develop an MDG addin yourself.
From what I understood it can't really be too hard...

Geert

Guido K

  • EA Novice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #5 on: May 07, 2020, 07:26:16 pm »
It has been 10 years ago since last reply, but did anyone find a proper solution?
Trust Boundary is not in the DFD toolbox yet in v15.

robert1

  • EA Novice
  • *
  • Posts: 1
  • Karma: +1/-0
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #6 on: May 08, 2020, 08:13:59 am »
They added it in 15.1!

There's a decent video about it here:
https://www.youtube.com/watch?v=koe4GYCuAJA

I hope that helps!

Robert

Sunshine

  • EA Practitioner
  • ***
  • Posts: 1091
  • Karma: +101/-9
  • Its the results that count
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #7 on: May 08, 2020, 03:38:46 pm »
They added it in 15.1!

There's a decent video about it here:
https://www.youtube.com/watch?v=koe4GYCuAJA

I hope that helps!

Robert
Thats right 15.1 has a cyber security MDG and its based on STRIDE.
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure (privacy breach or data leak)
  • Denial of service
  • Elevation of privilege
I've just made our cyber security team aware of it. Of course I've got to get them thinking of modelling instead of doing stuff in MS word documents/Powerpoint slides.
By coincidence our cyber security manager who is on paternity leave at present is also called Tom C. Spooky
« Last Edit: May 08, 2020, 03:43:31 pm by Sunshine »
Happy to help
:)

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 7911
  • Karma: +205/-124
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #8 on: May 09, 2020, 10:20:18 am »
[SNIP]

I've just made our cybersecurity team aware of it. Of course, I've got to get them thinking of modelling instead of doing stuff in MS word documents/Powerpoint slides.
By coincidence, our cybersecurity manager who is on paternity leave at present is also called Tom C. Spooky
(my emphasis) Isn't this our essential problem?

Paolo
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!

Sunshine

  • EA Practitioner
  • ***
  • Posts: 1091
  • Karma: +101/-9
  • Its the results that count
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #9 on: May 09, 2020, 11:40:58 am »
[SNIP]
(my emphasis) Isn't this our essential problem?

Paolo
Yes one step at a time. For me its gone like this
  • Architects
  • Business Analysts
  • Developers
  • Cyber Security Analysts
« Last Edit: May 10, 2020, 08:24:56 am by Sunshine »
Happy to help
:)

qwerty

  • EA Guru
  • *****
  • Posts: 12234
  • Karma: +346/-280
  • I'm no guru at all
    • View Profile
Re: Any plans to add a Threat Modeling feature?
« Reply #10 on: May 09, 2020, 05:23:03 pm »
Looking at big companies storing passwords of customers in plain text, I think I know where the security team is recruited from.

q.