tmac


Nametmac JSON
Version 0.0.9 PyPI version JSON
download
home_pagehttps://github.com/hupe1980/tmac
SummaryAgile Threat Modeling as Code
upload_time2023-01-03 12:51:06
maintainer
docs_urlNone
authorhupe1980
requires_python>=3.11,<4.0
licenseMIT
keywords agile decsecops threat-modeling cybersecurity appsec jupyter-notebook openthreatmodel otm
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # tmac
> Agile Threat Modeling as Code
- Close to the code - close to developers

## Install
```bash
pip install tmac
```

## How to use
```bash
python3 tmac.py
```

```python
#!/usr/bin/env python3

from tmac import (
    Model,
    Process,
    Protocol,
    Score,
    TableFormat,
    Technology,
    TrustBoundary,
)
from tmac.plus import Browser, Database

model = Model("Demo Model", description="Sample description")

internet = TrustBoundary(model, "Internet")
dmz = TrustBoundary(model, "DMZ")
intranet = TrustBoundary(model, "Intranet")

browser = Browser(model, "Browser", trust_boundary=internet)

web_server = Process(
    model,
    "WebServer",
    technology=Technology.WEB_APPLICATION,
    trust_boundary=dmz,
)

database = Database(
    model,
    "Database",
    trust_boundary=intranet,
)

web_traffic = browser.add_data_flow(
    "WebTraffic",
    destination=web_server,
    protocol=Protocol.HTTPS,
)

web_traffic.transfers(
    "UserCredentials",
    confidentiality=Score.HIGH,
    integrity=Score.HIGH,
    availability=Score.HIGH,
)

database_traffic = web_server.add_data_flow(
    "DatabaseTraffic",
    destination=database,
    protocol=Protocol.SQL,
)

database_traffic.transfers(
    "UserDetails",
    confidentiality=Score.HIGH,
    integrity=Score.HIGH,
    availability=Score.HIGH,
)

print(model.risks_table(table_format=TableFormat.GITHUB))
```
Output:
| ID                                 | Category                | Risk                                                                            | Treatment   |
|------------------------------------|-------------------------|---------------------------------------------------------------------------------|-------------|
| CAPEC-62@WebServer@WebTraffic      | Subvert Access Control  | Cross-Site Request Forgery (CSRF) risk at WebServer via WebTraffic from Browser | in-progress |
| CAPEC-63@WebServer                 | Inject Unexpected Items | Cross-Site Scripting (XSS) risk at WebServer                                    | accepted    |
| CAPEC-66@WebServer@DatabaseTraffic | Inject Unexpected Items | SQL Injection risk at WebServer against database Database via DatabaseTraffic   | mitigated   |
|...|...|...|...|
```python
print(model.create_backlog_table(table_format=TableFormat.GITHUB))
```
Output:
| ID                                            | Category                                     | User Story                                                                                                                                                                                                                                                         | State       |
|-----------------------------------------------|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| ASVS-13.2.3@CAPEC-62@WebServer@WebTraffic     | RESTful Web Service                          | Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks.                              | draft       |
| ASVS-5.3.5@CAPEC-66@WebServer@DatabaseTraffic | Output Encoding and Injection Prevention     | Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection.                                              | closed      |
| ASVS-1.2.3@CAPEC-62@WebServer@WebTraffic      | Authentication Architecture                  | Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.                             | in-progress |
|...|...|...|...|
## Jupyter Threatbooks
> Threat modeling with jupyter notebooks

![threatbook.png](https://github.com/hupe1980/tmac/raw/main/.assets/threatbook.png)

## Generating Diagrams
```python
model.create_data_flow_diagram()
```
![threatbook.png](https://github.com/hupe1980/tmac/raw/main/.assets/data-flow-diagram.png)

## High level elements (tmac/plus*)
```python
from tmac.plus_aws import ApplicationLoadBalancer

# ...

alb = ApplicationLoadBalancer(model, "ALB", waf=True)

```

## Custom ThreatLibrary
```python
from tmac import Model, ThreatLibrary

lib = ThreatLibrary()

lib.add_threat("""... your custom threats ...""")

model = Model("Demo Model", threat_library=lib)
```
## Examples

See more complete [examples](https://github.com/hupe1980/tmac/tree/master/examples).

## Prior work and other related projects
- [pytm](https://github.com/izar/pytm) - A Pythonic framework for threat modeling
- [threagile](https://github.com/Threagile/threagile) - Agile Threat Modeling Toolkit
- [cdk-threagile](https://github.com/hupe1980/cdk-threagile) - Agile Threat Modeling as Code
- [OpenThreatModel](https://github.com/iriusrisk/OpenThreatModel) - OpenThreatModel

## License

[MIT](LICENSE)
            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/hupe1980/tmac",
    "name": "tmac",
    "maintainer": "",
    "docs_url": null,
    "requires_python": ">=3.11,<4.0",
    "maintainer_email": "",
    "keywords": "agile,decsecops,threat-modeling,cybersecurity,appsec,jupyter-notebook,OpenThreatModel,otm",
    "author": "hupe1980",
    "author_email": "",
    "download_url": "https://files.pythonhosted.org/packages/ed/f1/37deddab199ca8d0ec2c1841fa4271d4c9a81a0d3e3a08f495be9d8b60d2/tmac-0.0.9.tar.gz",
    "platform": null,
    "description": "# tmac\n> Agile Threat Modeling as Code\n- Close to the code - close to developers\n\n## Install\n```bash\npip install tmac\n```\n\n## How to use\n```bash\npython3 tmac.py\n```\n\n```python\n#!/usr/bin/env python3\n\nfrom tmac import (\n    Model,\n    Process,\n    Protocol,\n    Score,\n    TableFormat,\n    Technology,\n    TrustBoundary,\n)\nfrom tmac.plus import Browser, Database\n\nmodel = Model(\"Demo Model\", description=\"Sample description\")\n\ninternet = TrustBoundary(model, \"Internet\")\ndmz = TrustBoundary(model, \"DMZ\")\nintranet = TrustBoundary(model, \"Intranet\")\n\nbrowser = Browser(model, \"Browser\", trust_boundary=internet)\n\nweb_server = Process(\n    model,\n    \"WebServer\",\n    technology=Technology.WEB_APPLICATION,\n    trust_boundary=dmz,\n)\n\ndatabase = Database(\n    model,\n    \"Database\",\n    trust_boundary=intranet,\n)\n\nweb_traffic = browser.add_data_flow(\n    \"WebTraffic\",\n    destination=web_server,\n    protocol=Protocol.HTTPS,\n)\n\nweb_traffic.transfers(\n    \"UserCredentials\",\n    confidentiality=Score.HIGH,\n    integrity=Score.HIGH,\n    availability=Score.HIGH,\n)\n\ndatabase_traffic = web_server.add_data_flow(\n    \"DatabaseTraffic\",\n    destination=database,\n    protocol=Protocol.SQL,\n)\n\ndatabase_traffic.transfers(\n    \"UserDetails\",\n    confidentiality=Score.HIGH,\n    integrity=Score.HIGH,\n    availability=Score.HIGH,\n)\n\nprint(model.risks_table(table_format=TableFormat.GITHUB))\n```\nOutput:\n| ID                                 | Category                | Risk                                                                            | Treatment   |\n|------------------------------------|-------------------------|---------------------------------------------------------------------------------|-------------|\n| CAPEC-62@WebServer@WebTraffic      | Subvert Access Control  | Cross-Site Request Forgery (CSRF) risk at WebServer via WebTraffic from Browser | in-progress |\n| CAPEC-63@WebServer                 | Inject Unexpected Items | Cross-Site Scripting (XSS) risk at WebServer                                    | accepted    |\n| CAPEC-66@WebServer@DatabaseTraffic | Inject Unexpected Items | SQL Injection risk at WebServer against database Database via DatabaseTraffic   | mitigated   |\n|...|...|...|...|\n```python\nprint(model.create_backlog_table(table_format=TableFormat.GITHUB))\n```\nOutput:\n| ID                                            | Category                                     | User Story                                                                                                                                                                                                                                                         | State       |\n|-----------------------------------------------|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|\n| ASVS-13.2.3@CAPEC-62@WebServer@WebTraffic     | RESTful Web Service                          | Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks.                              | draft       |\n| ASVS-5.3.5@CAPEC-66@WebServer@DatabaseTraffic | Output Encoding and Injection Prevention     | Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection.                                              | closed      |\n| ASVS-1.2.3@CAPEC-62@WebServer@WebTraffic      | Authentication Architecture                  | Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.                             | in-progress |\n|...|...|...|...|\n## Jupyter Threatbooks\n> Threat modeling with jupyter notebooks\n\n![threatbook.png](https://github.com/hupe1980/tmac/raw/main/.assets/threatbook.png)\n\n## Generating Diagrams\n```python\nmodel.create_data_flow_diagram()\n```\n![threatbook.png](https://github.com/hupe1980/tmac/raw/main/.assets/data-flow-diagram.png)\n\n## High level elements (tmac/plus*)\n```python\nfrom tmac.plus_aws import ApplicationLoadBalancer\n\n# ...\n\nalb = ApplicationLoadBalancer(model, \"ALB\", waf=True)\n\n```\n\n## Custom ThreatLibrary\n```python\nfrom tmac import Model, ThreatLibrary\n\nlib = ThreatLibrary()\n\nlib.add_threat(\"\"\"... your custom threats ...\"\"\")\n\nmodel = Model(\"Demo Model\", threat_library=lib)\n```\n## Examples\n\nSee more complete [examples](https://github.com/hupe1980/tmac/tree/master/examples).\n\n## Prior work and other related projects\n- [pytm](https://github.com/izar/pytm) - A Pythonic framework for threat modeling\n- [threagile](https://github.com/Threagile/threagile) - Agile Threat Modeling Toolkit\n- [cdk-threagile](https://github.com/hupe1980/cdk-threagile) - Agile Threat Modeling as Code\n- [OpenThreatModel](https://github.com/iriusrisk/OpenThreatModel) - OpenThreatModel\n\n## License\n\n[MIT](LICENSE)",
    "bugtrack_url": null,
    "license": "MIT",
    "summary": "Agile Threat Modeling as Code",
    "version": "0.0.9",
    "split_keywords": [
        "agile",
        "decsecops",
        "threat-modeling",
        "cybersecurity",
        "appsec",
        "jupyter-notebook",
        "openthreatmodel",
        "otm"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "285344f42a505048240b3176249363ee65e6db0e3bdc148e061c1c6ecd081a7c",
                "md5": "29e55846e2ec4cee48d097ca055183b2",
                "sha256": "590b70b55bd0006c1cb87f2ff488f0e2a2baa8989d048150cae4b3f00e00ca12"
            },
            "downloads": -1,
            "filename": "tmac-0.0.9-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "29e55846e2ec4cee48d097ca055183b2",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.11,<4.0",
            "size": 61347,
            "upload_time": "2023-01-03T12:51:05",
            "upload_time_iso_8601": "2023-01-03T12:51:05.037171Z",
            "url": "https://files.pythonhosted.org/packages/28/53/44f42a505048240b3176249363ee65e6db0e3bdc148e061c1c6ecd081a7c/tmac-0.0.9-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "edf137deddab199ca8d0ec2c1841fa4271d4c9a81a0d3e3a08f495be9d8b60d2",
                "md5": "a78b698f5e53ef196829f67e02a5e5ea",
                "sha256": "8ad8b14abb47e8bf8e5a11bb22a8e6452e69f11bc1fc72ac5a63702f75323de6"
            },
            "downloads": -1,
            "filename": "tmac-0.0.9.tar.gz",
            "has_sig": false,
            "md5_digest": "a78b698f5e53ef196829f67e02a5e5ea",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.11,<4.0",
            "size": 55763,
            "upload_time": "2023-01-03T12:51:06",
            "upload_time_iso_8601": "2023-01-03T12:51:06.785914Z",
            "url": "https://files.pythonhosted.org/packages/ed/f1/37deddab199ca8d0ec2c1841fa4271d4c9a81a0d3e3a08f495be9d8b60d2/tmac-0.0.9.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2023-01-03 12:51:06",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "github_user": "hupe1980",
    "github_project": "tmac",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "lcname": "tmac"
}
        
Elapsed time: 0.67748s