Security/Mentorships/MWoS/2014/online threat modeling tool
Contents
- 1 Team
- 2 Project
- 3 Updates
- 3.1 Group Meeting: July 31, 2014
- 3.2 Update: August 27, 2014
- 3.3 Group Meeting: September 3, 2014
- 3.4 Group Meeting: September 10, 2014
- 3.5 Group Meeting: September 17, 2014
- 3.6 Group Meeting: September 24, 2014
- 3.7 Group Meeting: October 1, 2014
- 3.8 Group Meeting: October 8, 2014
- 3.9 Group Meeting: November 5, 2014
- 3.10 Group Meeting: November 19, 2014
- 4 References
Team
Introduction
We are a team of student web developers based in Atlantic Canada who love clean code and big challenges. We are working on a web-based threat modelling tool called SeaSponge.
GitHub repository Grading Criteria Project Folder
Members
- Mathew Kallada
- Glavin Wiechert
- Joel Kuntz
- Sarah MacDonald
- Professor: Dr. Pawan Lingras
- Mozilla Advisors: Julien Vehent, Jeff Bryner, Simon Bennetts, and Curtis Koenig
Project
Description
Threat modelling is an important part of designing an application, and a threat model diagram is a very useful way to document the threats that apply to your application. Unfortunately there are a very limited number of threat modelling tools available, and most of those are restricted to specific platforms. This project is to create an online HTML5 application which will allow the user to easily create threat model diagrams online. It should be very easy to use, and allow the diagrams to be exported in the most common image formats. The graphical elements of the Microsoft Threat Modeling tool are a good example of the type of functionality required.
Scope
The scope of this project is to plan, design, and create an accessible & easy-to-use threat modeling tool.
Success Criteria
- Build a fully-fledged web-based client-side tool for designing software architectures
- Analyze element interactions based on STRIDE attributes, identify threat impact using DREAD, and generate security vulnerability reports
- The tool should have a comparable amount of features and functionality to the Microsoft Threat Modelling Tool.
- The tool should have well-bred documentation so that people can start using it.
- Exporting/Importing from the Microsoft MDL format
Milestones
-
Initial Setup + Repository Ready (Early August) - Initial Planning/Idea-Generation/UI Design Stage (Mid-Septemeber)
- Create Graph drawing interface (???)
- Save/Export Graph feature (???)
- Analyze STRIDE interactions and generate reports for end-user (???)
- Create good documentation (both for users and developers) and a series of one-minute tutorial videos (???)
- Spread the word! (???)
Technical Design
To keep things simple - our application is completely client-side. Users may export their projects and save them onto their hard drives (and load them later on), or they may save their projects onto local storage.
Software | Description |
---|---|
Twitter Bootstrap | A front-end framework used for clean design |
jsPlumb | A powerful HTML5 graph drawing toolkit |
AngularJS | Client-side MVC Framework for single-page web applications |
CoffeeScript | JavaScript with syntactic sugar |
Updates
Group Meeting: July 31, 2014
Current Work
- -
Blocking points
- -
Discussion Points
- Welcome to MWoS
- Forms + Setup
- Where to learn more about threat modeling (Book, Microsoft Videos)
Upcoming Work
- Investigate Libraries to use
- Sign Forms + Join Wiki
- Decide Name for Project
- Create Team Introduction
- Decide time for regular meeting
Update: August 27, 2014
- Wednesdays have been decided for the weekly meeting
- Academic grading structure has been finalized by Dr. Lingras
Group Meeting: September 3, 2014
Current Work
- We have looked into some security modeling things
- School has just begun
Blocking points
- -
Discussion Points
- Getting Started
- Where to learn more about threat modeling (Book, Microsoft Videos)
- Investigate features
- Importing from SDL is a crucial feature
Upcoming Work
- Make list of all Features to add (get inspiration from Microsoft SDL Tool, ect)
- Start creating UI mockups and software design
Group Meeting: September 10, 2014
Blocking points
- -
Discussion Points
- Current List of Features (still in progress)
- Using Skype for communication
- Agenda to be created by Mat
Upcoming Work
- Finalize list of all Features by September 15th
- Finalize UI mockups and software design by September 15th
Group Meeting: September 17, 2014
Blocking points
- -
Discussion Points
- Current List of Features looks good
- Forget about saving to DropBox/Google Drive
Upcoming Work
- Finish Scaffolding
- Assign Tasks + Roles for project
Group Meeting: September 24, 2014
Finished so far
- Scaffolding almost finished
Discussion Points
- Getting help for importing the Microsoft File format
- Using Slack
Upcoming Work
- Finalize the Scaffolding
- Assign roles for project
Group Meeting: October 1, 2014
Finished so far
- Scaffolding almost finished
- Coding conventions
Discussion Points
- We will get access to Safari Books soon
- Version 3 of Microsoft tool may be supportable, if not focus on 2014 only
- People don't like modals, mostly removed from Firefox. People may not want to load application if they get there by mistake.
- Multiple diagrams is very valuable, as we will see in the book
- Stencils/Prefabs, test multiple layouts (tabs, dropdown, etc.) See Github issue
Upcoming Work
- Finalize the Scaffolding
- Find more template ideas for notes. See Github issue
- Work on drag and drop. See Github issue
- Start decomposing Microsoft .tm4 format
Group Meeting: October 8, 2014
Finished so far
- Scaffolding almost finished
- Coding conventions
Discussion Points
- Safari books access should happen on next update
- Focus on 2014 of microsoft tool only
- Discussed Content Security Policy and the difficulty with backwards compatibility
- Creating a video when scaffolding/UI is done to show how the app is going to work to get more feedback (Mozilla, Profs, etc.)
Upcoming Work
- Finalize the Scaffolding
- Find more template ideas for notes. See Github issue
- Work on drag and drop. See Github issue
- Continue decomposing Microsoft .tm4 format
- Make the video mentioned above
- Start reading into STRIDE and working on generating it aswell as reports
Group Meeting: November 5, 2014
Discussion Points
- Physical books are en route
- Modularize threat models to be elements in bigger models
- Implement tag system for elements, connections, and boundaries
- Templating systems/notes will help give greater context (valuable). See Github issue
Upcoming Work
- Continue decomposing Microsoft .tm4 format
- Create a draft file format
- Create a new document proposal for timeline and features
Group Meeting: November 19, 2014
Discussion Points
- Use data-url and configured MIME type instead of File API
- Look into XSL Transformations instead of writing XML parser
- Schema changes