# threatmodel
> Agile Threat Modeling as Code
## Install
```bash
pip install threatmodel
```
## How to use
```bash
python3 threatmodel.py
```
```python
#!/usr/bin/env python3
import threatmodel as tm
import threatmodel.plus as tm_plus
model = tm.Model("Login Model")
user = tm_plus.Browser(model, "User")
web_server = tm.Process(
model, "WebServer",
machine=tm.Machine.VIRTUAL,
technology=tm.Technology.WEB_WEB_APPLICATION,
)
login = tm.DataFlow(
model, "Login",
source=user,
destination=web_server,
protocol=tm.Protocol.HTTPS,
)
login.transfers(
"UserCredentials",
confidentiality=tm.Score.HIGH,
integrity=tm.Score.HIGH,
availability=tm.Score.HIGH,
)
database = tm.DataStore(
model, "Database",
machine=tm.Machine.VIRTUAL,
technology=tm.Technology.DATABASE,
)
authenticate = tm.DataFlow(
model, "Authenticate",
source=web_server,
destination=database,
protocol=tm.Protocol.SQL,
)
user_details = tm.Asset(
model, "UserDetails",
confidentiality=tm.Score.HIGH,
integrity=tm.Score.HIGH,
availability=tm.Score.HIGH,
)
authenticate.transfers(user_details)
print(model.risks_table(table_format=tm.TableFormat.GITHUB))
```
Output:
| SID | Severity | Category | Name | Affected | Treatment |
|---------------------|------------|----------------------------|-------------------------------------|------------|-------------|
| CAPEC-63@WebServer | elevated | Inject Unexpected Items | Cross-Site Scripting (XSS) | WebServer | mitigated |
| CAPEC-100@WebServer | high | Manipulate Data Structures | Overflow Buffers | WebServer | unchecked |
| CAPEC-101@WebServer | elevated | Inject Unexpected Items | Server Side Include (SSI) Injection | WebServer | mitigated |
| CAPEC-62@WebServer | high | Subvert Access Control | Cross Site Request Forgery | WebServer | unchecked |
| CAPEC-66@WebServer | elevated | Inject Unexpected Items | SQL Injection | WebServer | unchecked |
|...|...|...|...|...|...|
## Jupyter Threatbook
> Threatmodeling with jupyter notebooks
## Generating Diagrams
```python
model.data_flow_diagram()
```
## High level elements (threatmodel/plus*)
```python
import threatmodel.plus_aws as tm_plus_aws
# ...
alb = tm_plus_aws.ApplicationLoadBalancer(model, "ALB", waf=True)
```
## Custom threatlib
```python
import threatmodel as tm
threatlib = tm.Threatlib()
threatlib.add_threat("""... your custom threats ...""")
model = tm.Model("Demo Model", threatlib=threatlib)
```
## Examples
See more complete [examples](https://github.com/hupe1980/threatmodel/tree/master/examples).
## Prior work and other related projects
- [pytm](https://github.com/izar/pytm) - A Pythonic framework for threat modeling
- [threagile](https://github.com/Threagile/threagile) - Agile Threat Modeling Toolkit
- [cdk-threagile](https://github.com/hupe1980/cdk-threagile) - Agile Threat Modeling as Code
- [OpenThreatModel](https://github.com/iriusrisk/OpenThreatModel) - OpenThreatModel
## License
[MIT](LICENSE)
Raw data
{
"_id": null,
"home_page": "https://github.com/hupe1980/threatmodel",
"name": "threatmodel",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.11,<4.0",
"maintainer_email": "",
"keywords": "agile,threat-modeling,cybersecurity,appsec,threatbook,jupyter-notebook,OpenThreatModel,otm",
"author": "hupe1980",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/6e/38/61f81baf4a0549860be93d8bbe57f8fe9da223c34080f76ac7f4fd7b4a88/threatmodel-0.0.19.tar.gz",
"platform": null,
"description": "# threatmodel\n> Agile Threat Modeling as Code\n\n## Install\n```bash\npip install threatmodel\n```\n\n## How to use\n```bash\npython3 threatmodel.py\n```\n\n```python\n#!/usr/bin/env python3\n\nimport threatmodel as tm\nimport threatmodel.plus as tm_plus\n\nmodel = tm.Model(\"Login Model\")\n\nuser = tm_plus.Browser(model, \"User\")\n\nweb_server = tm.Process(\n model, \"WebServer\",\n machine=tm.Machine.VIRTUAL,\n technology=tm.Technology.WEB_WEB_APPLICATION,\n)\n\nlogin = tm.DataFlow(\n model, \"Login\",\n source=user,\n destination=web_server,\n protocol=tm.Protocol.HTTPS,\n)\n\nlogin.transfers(\n \"UserCredentials\",\n confidentiality=tm.Score.HIGH,\n integrity=tm.Score.HIGH,\n availability=tm.Score.HIGH,\n)\n\ndatabase = tm.DataStore(\n model, \"Database\",\n machine=tm.Machine.VIRTUAL,\n technology=tm.Technology.DATABASE,\n)\n\nauthenticate = tm.DataFlow(\n model, \"Authenticate\",\n source=web_server,\n destination=database,\n protocol=tm.Protocol.SQL,\n)\n\nuser_details = tm.Asset(\n model, \"UserDetails\",\n confidentiality=tm.Score.HIGH,\n integrity=tm.Score.HIGH,\n availability=tm.Score.HIGH,\n)\n\nauthenticate.transfers(user_details)\n\nprint(model.risks_table(table_format=tm.TableFormat.GITHUB))\n```\nOutput:\n| SID | Severity | Category | Name | Affected | Treatment |\n|---------------------|------------|----------------------------|-------------------------------------|------------|-------------|\n| CAPEC-63@WebServer | elevated | Inject Unexpected Items | Cross-Site Scripting (XSS) | WebServer | mitigated |\n| CAPEC-100@WebServer | high | Manipulate Data Structures | Overflow Buffers | WebServer | unchecked |\n| CAPEC-101@WebServer | elevated | Inject Unexpected Items | Server Side Include (SSI) Injection | WebServer | mitigated |\n| CAPEC-62@WebServer | high | Subvert Access Control | Cross Site Request Forgery | WebServer | unchecked |\n| CAPEC-66@WebServer | elevated | Inject Unexpected Items | SQL Injection | WebServer | unchecked |\n|...|...|...|...|...|...|\n\n## Jupyter Threatbook\n> Threatmodeling with jupyter notebooks\n\n\n\n## Generating Diagrams\n```python\nmodel.data_flow_diagram()\n```\n\n\n## High level elements (threatmodel/plus*)\n```python\nimport threatmodel.plus_aws as tm_plus_aws\n\n# ...\n\nalb = tm_plus_aws.ApplicationLoadBalancer(model, \"ALB\", waf=True)\n\n```\n\n## Custom threatlib\n```python\nimport threatmodel as tm\n\nthreatlib = tm.Threatlib()\n\nthreatlib.add_threat(\"\"\"... your custom threats ...\"\"\")\n\nmodel = tm.Model(\"Demo Model\", threatlib=threatlib)\n```\n## Examples\n\nSee more complete [examples](https://github.com/hupe1980/threatmodel/tree/master/examples).\n\n## Prior work and other related projects\n- [pytm](https://github.com/izar/pytm) - A Pythonic framework for threat modeling\n- [threagile](https://github.com/Threagile/threagile) - Agile Threat Modeling Toolkit\n- [cdk-threagile](https://github.com/hupe1980/cdk-threagile) - Agile Threat Modeling as Code\n- [OpenThreatModel](https://github.com/iriusrisk/OpenThreatModel) - OpenThreatModel\n\n## License\n\n[MIT](LICENSE)",
"bugtrack_url": null,
"license": "MIT",
"summary": "Agile Threat Modeling as Code",
"version": "0.0.19",
"split_keywords": [
"agile",
"threat-modeling",
"cybersecurity",
"appsec",
"threatbook",
"jupyter-notebook",
"openthreatmodel",
"otm"
],
"urls": [
{
"comment_text": "",
"digests": {
"md5": "90b8f5444abf4e7c40bcc86343cf66bc",
"sha256": "d45f9e7f1f2c0bab4a441bdbd0978734aaf1c8c891fe65d6842ed8dae6b10c07"
},
"downloads": -1,
"filename": "threatmodel-0.0.19-py3-none-any.whl",
"has_sig": false,
"md5_digest": "90b8f5444abf4e7c40bcc86343cf66bc",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11,<4.0",
"size": 30035,
"upload_time": "2022-12-25T23:26:43",
"upload_time_iso_8601": "2022-12-25T23:26:43.552966Z",
"url": "https://files.pythonhosted.org/packages/2e/da/b6993cc0152e111af76714ab96abf1e20fa388011d931f954c7ddf8accd1/threatmodel-0.0.19-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"md5": "4d8a11881a5ac425557a6d6144cdf0de",
"sha256": "89a247b95347defc5be472750be19d58efa17d9144fca60aa37b88565cdfb581"
},
"downloads": -1,
"filename": "threatmodel-0.0.19.tar.gz",
"has_sig": false,
"md5_digest": "4d8a11881a5ac425557a6d6144cdf0de",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11,<4.0",
"size": 25120,
"upload_time": "2022-12-25T23:26:45",
"upload_time_iso_8601": "2022-12-25T23:26:45.135565Z",
"url": "https://files.pythonhosted.org/packages/6e/38/61f81baf4a0549860be93d8bbe57f8fe9da223c34080f76ac7f4fd7b4a88/threatmodel-0.0.19.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2022-12-25 23:26:45",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "hupe1980",
"github_project": "threatmodel",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "threatmodel"
}
JSON
