Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Threat modelling #5895

Open
ReneLombard opened this issue Sep 25, 2024 · 1 comment
Open

Threat modelling #5895

ReneLombard opened this issue Sep 25, 2024 · 1 comment
Labels
Status: Triage Needs to be verified, categorized, etc Type: Enhancement New feature or request Type: New Diagram

Comments

@ReneLombard
Copy link
Contributor

Proposal

Introduce support for creating threat modeling diagrams using Mermaid.js. Threat modeling is a critical process in cybersecurity, enabling architects, developers, and security professionals to identify, analyze, and document potential threats in a system's design. Integrating threat modeling diagrams will expand Mermaid.js's capabilities, allowing users to visualize threat landscapes directly in their documentation

Key Features:

Nodes and Components:

Support for different types of components commonly found in threat modeling, such as:
Processes: Represented as circles or ovals.
Data Stores: Represented as open-ended rectangles.
External Entities/ Actors: Represented as regular rectangles.
Data Flows: Arrows indicating data transfer between components.

Threat Indicators:

Allow the annotation of potential threats directly on the diagram using specific markers/icons (e.g., a warning triangle) to indicate threat categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE model).
Data Flow Lines:

Support for different line styles (solid, dashed, etc.) to represent different types of data flows, like secure vs. insecure communication.
Security Boundaries:

Ability to draw security boundaries (represented as dashed or bold lines/boxes) to highlight trust zones and separation between different security levels.
Labels and Descriptions:

Support for adding detailed labels and descriptions to each component, data flow, and threat indicator to provide context and information about identified risks.
Customizable Colors and Icons:

Allow customization of colors and icons for each element to match organizational threat modeling standards.

For more information please see the following requirements:
OWASP Threat Modelling

Use Cases

  • Security architects can use Mermaid.js to create threat models during system design reviews.
  • Developers can include threat models directly in documentation to ensure security concerns are considered throughout the development lifecycle.
  • Security analysts can leverage Mermaid.js to illustrate and communicate findings from threat assessments.

Screenshots

Basic Diagram

Syntax

threatModel
actor User
process "Web Application" as WebApp
dataStore "Database" as DB
dataFlow "User Request" from User to WebApp
dataFlow "Data Fetch" from WebApp to DB
boundary "Trust Boundary" {
WebApp
DB
}
threat "SQL Injection" on dataFlow "Data Fetch"

Implementation

None
@ReneLombard ReneLombard added Status: Triage Needs to be verified, categorized, etc Type: Enhancement New feature or request Type: New Diagram labels Sep 25, 2024
@fguisso
Copy link

fguisso commented Oct 24, 2024
edited
Loading

A really want's this feature, there is a starting point to implement that? I can implement but I need some guide to start.

@ReneLombard do you saw that? It's not perfect but I'm using sometimes.

I need something like this:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Triage Needs to be verified, categorized, etc Type: Enhancement New feature or request Type: New Diagram
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fguisso @ReneLombard