-
Notifications
You must be signed in to change notification settings - Fork 2
/
live-templates.txt
265 lines (181 loc) · 7.11 KB
/
live-templates.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
Nice live templates for your IDE:
For IntelliJ IDE see for example: https://blog.jetbrains.com/webstorm/2018/01/using-and-creating-code-snippets/
Other IDEs like Eclipse, Visual Studio and YAML-supporting text editors like Atom and Sublime have similar template features.
====================================================
Live template for a model base:
====================================================
threagile_version: 1.0.0
title: $title$
date:
author:
name: $name$
homepage:
management_summary_comment:
business_criticality: $business_criticality$
business_overview:
description: Some more demo text here and even images...
images:
# - custom-image-1.png: Some dummy image 1
# - custom-image-2.png: Some dummy image 2
technical_overview:
description: Some more demo text here and even images...
images:
# - custom-image-1.png: Some dummy image 1
# - custom-image-2.png: Some dummy image 2
questions: # simply use "" as answer to signal "unanswered"
# Some question without an answer?: ""
# Some question with an answer?: Some answer
abuse_cases:
Denial-of-Service: >
As a hacker I want to disturb the functionality of the backend system in order to cause indirect
financial damage via unusable features.
CPU-Cycle Theft: >
As a hacker I want to steal CPU cycles in order to transform them into money via installed crypto currency miners.
Ransomware: >
As a hacker I want to encrypt the storage and file systems in order to demand ransom.
Identity Theft: >
As a hacker I want to steal identity data in order to reuse credentials and/or keys on other targets of the same company or outside.
PII Theft: >
As a hacker I want to steal PII (Personally Identifiable Information) data in order to blackmail the company and/or damage
their repudiation by publishing the stolen data.
security_requirements:
Input Validation: Strict input validation is required to reduce the overall attack surface.
EU-GDPR: Mandatory EU-GDPR
# Tags can be used for anything, it's just a tag. Also risk rules can act based on tags if you like.
tags_available:
data_assets:
$END$
technical_assets:
trust_boundaries:
shared_runtimes:
individual_risk_categories:
# NOTE:
# For risk tracking each risk-id needs to be defined (the string with the @ sign in it). These unique risk IDs
# are visible in the PDF report (the small grey string under each risk), the Excel (column "ID"), as well as the JSON responses.
# Some risk IDs have only one @ sign in them, while others multiple. The idea is to allow for unique but still speaking IDs.
# Therefore each risk instance creates its individual ID by taking all affected elements causing the risk to be within an @-delimited part.
# Using wildcards (the * sign) for parts delimited by @ signs allows to handle groups of certain risks at once. Best is to lookup the IDs
# to use in the created Excel file. Alternatively a model macro "seed-risk-tracking" is available that helps in initially
# seeding the risk tracking part here based on already identified and not yet handled risks.
risk_tracking:
====================================================
Live template for a data asset:
====================================================
$DataAssetName$:
id: $id$
description: $END$
usage: $usage$
tags:
origin:
owner:
quantity: $quantity$
confidentiality: $confidentiality$
integrity: $integrity$
availability: $availability$
justification_cia_rating:
====================================================
Live template for a technical asset:
====================================================
$TechnicalAssetName$:
id: $id$
description: $END$
type: $type$
usage: $usage$
used_as_client_by_human: $used_as_client_by_human$
out_of_scope: false
justification_out_of_scope:
size: $size$
technology: $technology$
tags: $tags$
internet: $internet$
machine: $machine$
encryption: $encryption$
owner:
confidentiality: $confidentiality$
integrity: $integrity$
availability: $availability$
justification_cia_rating:
multi_tenant: $multi_tenant$
redundant: $redundant$
custom_developed_parts: $custom_developed_parts$
data_assets_processed: # sequence of IDs to reference
data_assets_stored: # sequence of IDs to reference
data_formats_accepted:
communication_links:
====================================================
Live template for a communication link:
====================================================
$CommunicationLinkName$:
target: $target_id$
description: $END$
protocol: $protocol$
authentication: $authentication$
authorization: $authorization$
tags: $tags$
vpn: $vpn$
ip_filtered: $ip_filtered$
readonly: $readonly$
usage: $usage$
data_assets_sent: # sequence of IDs to reference
data_assets_received: # sequence of IDs to reference
====================================================
Live template for a trust boundary:
====================================================
$TrustBoundaryName$:
id: $id$
description: $END$
type: $type$
tags: $tags$
technical_assets_inside: # sequence of IDs to reference
trust_boundaries_nested: # sequence of IDs to reference
====================================================
Live template for a shared runtime:
====================================================
$SharedRuntimeName$:
id: $id$
description: $END$
tags: $tags$
technical_assets_running: # sequence of IDs to reference
====================================================
Live template for an individual risk category:
====================================================
$IndividualRiskCategoryName$:
id: $id$
description: $END$
impact:
asvs:
cheat_sheet:
action:
mitigation:
check:
function: $function$
stride: $stride$
detection_logic:
risk_assessment:
false_positives:
model_failure_possible_reason: $model_failure_possible_reason$
cwe: $cwe$
risks_identified:
====================================================
Live template for an individual risk instance:
====================================================
$IndividualRiskInstanceName$:
severity: $severity$
exploitation_likelihood: $exploitation_likelihood$
exploitation_impact: $exploitation_impact$
data_breach_probability: $data_breach_probability$
data_breach_technical_assets: # list of technical asset IDs which might have data breach
$END$
most_relevant_data_asset: $most_relevant_data_asset$
most_relevant_technical_asset: $most_relevant_technical_asset$
most_relevant_trust_boundary: $most_relevant_trust_boundary$
most_relevant_shared_runtime: $most_relevant_shared_runtime$
====================================================
Live template for a risk tracking:
====================================================
$RiskID$: # wildcards "*" between the @ characters are possible
status: $status$
justification: $END$
ticket:
date:
checked_by: