Threatcl是一款功能强大的威胁记录模型,可以帮助广大研究人员更加清楚地记录威胁,并推动安全态势的提升。
威胁模型的记录方式有很多种。从简单的文本文件到更详细的 Word 文档,再到集中式解决方案中完全装备的威胁模型。威胁模型最有价值的两个属性是能够清晰地记录威胁,并能够推动有价值的变革。
Threatcl旨在通过关注以下目标,提供 DevOps 优先的方法来记录系统威胁模型:
1、简单文本文件格式;
2、简单的客户端驱动用户体验;
3、集成到版本控制系统 (VCS);
Go
由于该工具基于Go开发,因此我们首先需要在本地设备上安装并配置好最新版本的Go环境。
源码获取
广大研究人员可以直接使用下列命令将该项目源码克隆至本地:
git clone https://github.com/threatcl/threatcl.git然后切换到项目目录中,使用下列命令构建项目代码:
cd threatclmake bootstrapmake build
发布版本
我们还可以直接访问该项目的Releases页面下载最新版本的Threatcl,并将相关二进制文件移动到PATH下。
Homoebrew安装
brew install threatcl/repo/threatclDocker运行
docker run --rm -it ghcr.io/threatcl/threatcl:latestthreatclUsage: threatcl [--version] [--help] <command> [<args>]Available commands are:dashboard 从现有的HCL威胁模型文件生成标记文件dfd 从现有的HCL威胁模型文件生成数据流图PNG或DOT文件export 将威胁模型导出为其他格式generate 生成HCL威胁模型list 列出HCL文件中发现的威胁模型terraform 解析'terraform show-json'的输出validate 验证现有的HCL Threatmodel文件view 查看现有的HCL Threatmodel文件
hreatcl list和命令threatcl view可用于列出和查看来自threatcl spec HCL 文件中的数据:
$ threatcl list examples/*# File Threatmodel Author1 examples/tm1.hcl Tower of London @xntrik2 examples/tm1.hcl Fort Knox @xntrik3 examples/tm2.hcl Modelly model @xntrik
验证Threatcl规范 HCL 文件:
$ threatcl validate examples/*Validated 3 threatmodels in 3 files
该threatcl export命令用于将threatcl威胁模型导出为本机 JSON 表示形式(默认情况下),或导出为OTM JSON 表示形式,甚至导出回hcl:
$ threatcl export -format=otm examples/tm1.hcl[{"assets":[{"description":"including the imperial state crown","id":"crown-jewels","name":"crown jewels","risk":{"availability":0,"confidentiality":0,"integrity":0}}],"mitigations":[{"attributes":{"implementation_notes":"They are trained to be guards as well","implemented":true},"description":"Lots of guards patrol the area","id":"lots-of-guards","name":"Lots of Guards","riskReduction":80}],"otmVersion":"0.2.0","project":{"attributes":{"initiative_size":"Small","internet_facing":true,"network_segment":"dmz","new_initiative":true},"description":"A historic castle","id":"tower-of-london","name":"Tower of London","owner":"@xntrik"},"threats":[{"categories":["Confidentiality"],"description":"Someone who isn't the Queen steals the crown","id":"threat-1","name":"Threat 1","risk":{"impact":0,"likelihood":null}}]},{"assets":[{"description":"Lots of gold","id":"gold","name":"Gold","risk":{"availability":0,"confidentiality":0,"integrity":0}}],"mitigations":[{"attributes":{"implemented":true},"description":"A large wall surrounds the fort","id":"big-wall","name":"Big Wall","riskReduction":80}],"otmVersion":"0.2.0","project":{"attributes":{"initiative_size":"Small","internet_facing":true,"new_initiative":false},"description":"A .. fort?","id":"fort-knox","name":"Fort Knox","owner":"@xntrik"},"threats":[{"categories":["Confidentiality"],"description":"Someone steals the gold","id":"threat-1","name":"Threat 1","risk":{"impact":0,"likelihood":null}}]}]
threatcl generate命令用于输出通用boilerplate threatcl规范 HCL 文件,或者以交互方式向用户提问,然后输出threatcl规范 HCL 文件:
threatcl generate interactive将threatclcli 软件和threatcl规范结合起来,从业者可以在 HCL 中定义系统威胁模型,例如:
threatmodel "Tower of London" {description = "A historic castle"author = "@xntrik"attributes {new_initiative = "true"internet_facing = "true"initiative_size = "Small"}information_asset "crown jewels" {description = "including the imperial state crown"information_classification = "Confidential"}usecase {description = "The Queen can fetch the crown"}third_party_dependency "community watch" {description = "The community watch helps guard the premise"uptime_dependency = "degraded"}threat {description = "Someone who isn't the Queen steals the crown"impacts = ["Confidentiality"]expanded_control "Guards" {description = "Trained guards patrol tower"risk_reduction = 75}}data_flow_diagram_v2 "dfd name" {... see below for more information}}
本项目的开发与发布遵循MIT开源许可协议。
Threatcl:
https://github.com/threatcl/threatcl
原文始发于微信公众号(FreeBuf):Threatcl:一款威胁模型记录与归档工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论