def test_DR01(self):
web = Server("Web Server")
db = Datastore("Database")
insert = Dataflow(web, db, "Insert query")
insert.data = Data("ssn", isPII=True, isStored=True)
insert.isEncrypted = False
threat = threats["DR01"]
self.assertTrue(threat.apply(insert))
def test_DE01(self):
user = Actor("User")
web = Server("Web Server")
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.protocol = "HTTP"
user_to_web.isEncrypted = False
threat = threats["DE01"]
self.assertTrue(threat.apply(user_to_web))
def test_DE01(self):
user = Actor("User")
web = Server("Web Server")
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.protocol = 'HTTP'
user_to_web.isEncrypted = False
ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DE01"))
self.assertTrue(ThreatObj.apply(user_to_web))
def test_AC05(self):
process1 = Process("Process1")
web = Server("Web Server")
process1.authenticatesDestination = False
proc_to_web = Dataflow(process1, web, "Process calls a web API")
proc_to_web.protocol = "HTTPS"
proc_to_web.isEncrypted = True
threat = threats["AC05"]
self.assertTrue(threat.apply(proc_to_web))
def test_CR08(self):
user = Actor("User")
web = Server("Web Server")
web.minTLSVersion = TLSVersion.TLSv11
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.protocol = "HTTPS"
user_to_web.isEncrypted = True
user_to_web.tlsVersion = TLSVersion.SSLv3
threat = threats["CR08"]
self.assertTrue(threat.apply(user_to_web))
def test_AC22(self):
user = Actor("User")
web = Server("Web Server")
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.data = Data("password",
isCredentials=True,
credentialsLife=Lifetime.HARDCODED)
user_to_web.protocol = "HTTPS"
user_to_web.isEncrypted = True
threat = threats["AC22"]
self.assertTrue(threat.apply(user_to_web))
def test_AC10(self):
user = Actor("User")
web = Server("Web Server")
web.minTLSVersion = TLSVersion.TLSv11
web.implementsAuthenticationScheme = False
web.authorizesSource = False
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.protocol = "HTTPS"
user_to_web.isEncrypted = True
user_to_web.tlsVersion = TLSVersion.SSLv3
web.inputs = [user_to_web]
threat = threats["AC10"]
self.assertTrue(threat.apply(web))
redis.isSQL = False
redis.inScope = True
db.onAWS = True
db.isShared = False
db.storesSensitiveData = False
third_party = Element("3rd party services")
third_party.inBoundary = internet
third_party_bim = Element("3rd party BIM360 services")
third_party_bim.inBoundary = internet
user_to_apigee = Dataflow(user, apigee,
"User sends API request to Apps service")
user_to_apigee.protocol = "HTTPS"
user_to_apigee.isEncrypted = True
user_to_apigee.authenticatedWith = True
user_to_apigee.dstPort = 443
user_to_apigee.data = 'JSON'
user_to_apigee.order = 1
apigee_to_server = Dataflow(apigee, server,
"Apigee forwards API request to Apps server")
apigee_to_server.protocol = "HTTPS"
apigee_to_server.isEncrypted = True
apigee_to_server.authenticatedWith = True
apigee_to_server.dstPort = 443
apigee_to_server.data = 'JSON'
apigee_to_server.order = 2
server_to_third_party = Dataflow(
