![[FCO]FreeCoursesOnline](https://onehack.us/uploads/default/original/3X/b/4/b4d2fc8468becec1e9976784dba394e5a378ec81.jpg){kind=small}
Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process. This is achieved by having developers and security engineers write threat modeling annotations as comments inside source code, then dynamically generating reports and data-flow diagrams from the code. This allows engineers to capture the security context of the code they write, as they write it. In a world of everything-as-code, this can include infrastructure-as-code, CI/CD pipelines, and serverless etc. in addition to traditional application code.
Getting started
Step 1 - Install threatspec
$ pip install threatspec
You’ll also need to install Graphviz for the report generation.
Step 2 - Initialise threatspec in your code repository
$ threatspec init
Initialising threatspec...
Threatspec has been initialised. You can now configure the project in this
repository by editing the following file:
threatspec.yaml
You can configure threatspec by editing the threatspec.yaml configuration file which looks something like this:
# This file contains default configuration for a threatspec-enabled repository
# Warning: If you delete this file, threatspec will treat this directory as a normal source path if referenced by other threatspec.yaml files.
project:
name: "threatspec project" # Name of your project. This might be you application name or a friendly name for the code repository.
description: "A threatspec project." # A description of the project. This will be used in the markdown report as well as the name.
imports: # Import other threatspec projects into this one.
- './' # Current directory isn't strictly necessary as this is processed anyway. Just here as an example.
paths: # Source code paths to process
- './' # Parse source files in the current directory by default.
# - 'path/to/repo1' # You can refer to other repositories or directories as needed
# - 'path/to/repo2' # ... and you can do this as much as you like
# - 'path/to/source/file.go' # You can directly reference source code files and directories
# - path: 'path/to/node_source # You can also provide ignore paths for a path by providing a dictionary
# ignore: # Any sub-paths defined in this array are ignored as source files within the path are recursively parsed
# - 'node_modules'
# - path: 'path/to/config.py'
# mime: 'text/x-python' # You can explicitly set the mime type for files if needed
Step 3 - Annotate your source code with security concerns, concepts or actions
// @accepts arbitrary file writes to WebApp:FileSystem with filename restrictions
// @mitigates WebApp:FileSystem against unauthorised access with strict file permissions
func (p *Page) save() error {
filename := p.Title + ".txt"
return ioutil.WriteFile(filename, p.Body, 0600)
}
Step 4 - Run threatspec against your source code
$ threatspec run
Running threatspec...
Threatspec has been run against the source files. The following threat mode file
has been created and contains the mitigations, acceptances, connections etc. for
the project:
threatmodel/threatmodel.json
The following library files have also been created:
threatmodel/threats.json threatmodel/controls.json threatmodel/components.json
Step 5 - Generate the threat model report
$ threatspec report
Generating report...
The following threat model visualisation image has been created: ThreatModel.md.png
The following threat model markdown report has been created: ThreatModel.md
Example report
See https://github.com/threatspec/threatspec_example_report.
Getting help
For more information, use the command line help flag.
$ threatspec --help
Usage: threatspec [OPTIONS] COMMAND [ARGS]...
threatspec - continuous threat modeling, through code
threatspec is an open source project that aims to close the gap between
development and security by bringing the threat modelling process further
into the development process. This is achieved by having developers and
...
Continue following: