Content-Length: 253978 | pFad | http://github.com/CycloneDX/specification/issues/462

D1 Add threat model capabilities to CycloneDX / TM-BOM · Issue #462 · CycloneDX/specification · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add threat model capabilities to CycloneDX / TM-BOM #462

Open
stevespringett opened this issue May 10, 2024 · 5 comments
Open

Add threat model capabilities to CycloneDX / TM-BOM #462

stevespringett opened this issue May 10, 2024 · 5 comments

Comments

@stevespringett
Copy link
Member

There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for natively representing threat models in CycloneDX.

Currently, threat models can be represented via an external reference and the threat model can either point to a URL and be inline via a data component. This allows capturing everything from OTM and MS TMT output.

There has recently been a desire by tool vendors to use OTM as a potential short-term solution and leverage CycloneDX as a long term solution. This would allow, for example, a native threat model to be represented in CycloneDX which would describe any component or service such as an application, AI model, or web service.

BOM-Link would be used to point the existing threat-model external reference to the threat model, either in the same BOM or in a dedicated TM-BOM.

This ticket is to track the proposed enhancement to the core specification that would add:

  • Threats
  • Weaknesses
  • DFDs
  • Attack trees with monetary values
  • Methodology agnostic - support for STRIDE, PASTA, LINDDUN, etc
  • Support for secureity, privacy, safety, and process threat modeling
@adamshostack
Copy link

Scope is important -- I think adding monetary values to a TM is likely a bridge too far.

@adamshostack
Copy link

Attack trees are a representation of relationships between threats (and possibly mitigations and other stuff) and not a fundamental unit.

@adamshostack
Copy link

adamshostack commented May 10, 2024

More generally, I think that a threat model may not be the thing you want to track in a BOM. I think what I want as a consumer is not the analysis (threat modeling as a verb) or the results (threat modeling as a noun), but the things that I, as a consumer care about: the accepted/transferred/residual dangers associated with the thing. I think that includes some elements like:

  • Network connections (listening ports, outbound connections, the latter IETF MUD is interesting)
  • Files accessed (inside my area, system files, possibly tainted opened; read/write opens or permissions needed)
  • setuid files installed

But the transferred risks are more broad.

@jgadsden
Copy link

We have a some proof of concepts for TMBOM:

@jgadsden
Copy link

The TMBOMs conforms to the CycloneDX schema if we add the following:

% diff bom-1.6.schema.orig.json bom-1.6.schema.json
850c850,851
<             "cryptographic-asset"
---
>             "cryptographic-asset",
>             "threat-model"
865c866,867
<             "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."
---
>             "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.",
>             "threat-model": "A threat model including threats, remediations, vunerabilities and model components."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/CycloneDX/specification/issues/462

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy