Threat Modeling

[fguisso]

Hello guys!

I'm trying to figure out how to use mermaid in my Threat Modeling process, I think that it is a good idea because Developers know mermaid, and we(security analysts) want to bring security close to the developer's culture, why not use this incredible tool to make easy to teach Threat Modeling for Developers?

Following this issue, I found some way to use Flowchart for threat modeling, look at this example:

flowchart LR
    user(user)
    mobile((mobile\napplication))
    proxy((reverse\nproxy))
    api((API))
    db[|borders:tb|database]

    subgraph external [Internet]
        user--personal data-->mobile
        mobile-->proxy
    end
    subgraph dmz [Internal Network]
        proxy-->api
        db-->api
        api-->db
    end
    
    classDef boundary fill:none,stroke-dasharray: 5 5
    dmz:::boundary
    external:::boundary

Loading

flowchart LR
    user(user)
    mobile((mobile\napplication))
    proxy((reverse\nproxy))
    api((API))
    db[|borders:tb|database]

    subgraph external [Internet]
        user--personal data-->mobile
        mobile-->proxy
    end
    subgraph dmz [Internal Network]
        proxy-->api
        db-->api
        api-->db
    end
    
    classDef boundary fill:none,stroke-dasharray: 5 5
    dmz:::boundary
    external:::boundary

Items:

code	type
user(User)	Customer
system((System))	System
db[|borders:tb|database]	Database
subgraph dmz [DMZ]	Boundary or DMZ

I really like this because is simple and I don't need custom items, which probably complicates the learning curve for Devs to know Threat Modeling.

Thinking of simplicity and looking for a complete Threat Modeling done without mermaid, do you think that I can add more items using the native solutions?

New items:

• Threat Agents (Red)
• Assets (Yellow)
• Controls (Green)

[fguisso]

Another tentative, but I don't like because I think this code is not good to read:

flowchart LR
    subgraph u [" "]
    user(user)
    attack
    mitigation
    end
    subgraph m [" "]
    mobile((mobile\napplication))
    attack2
    end
    subgraph p [" "]
    proxy((reverse\nproxy))
    end
    subgraph a [" "]
    api((API))
    end
    subgraph d[" "]
    db[|borders:tb|database]
    attack3
    end

    subgraph external [Internet]
        u
        m
        p
        user--personal data-->mobile
        mobile-->proxy
    end
    subgraph dmz [Internal Network]
        p
        a
        d
        proxy-->api
        db-->api
        api-->db
    end

    classDef boundary fill:none,stroke-dasharray: 5 5
    classDef entity fill:none,stroke: none
    dmz:::boundary
    external:::boundary
    u:::entity
    m:::entity
    p:::entity
    a:::entity
    d:::entity

Loading