def test_DO03(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = 'XML' ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DO03")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_DO03(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = "XML" threat = threats["DO03"] self.assertTrue(threat.apply(user_to_web))
def test_CR07(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.data = "XML" threat = threats["CR07"] self.assertTrue(threat.apply(user_to_web))
def test_AC04(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = 'XML' user_to_web.authorizesSource = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "AC04")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_DR01(self): web = Server("Web Server") db = Datastore("Database") insert = Dataflow(web, db, "Insert query") insert.data = Data("ssn", isPII=True, isStored=True) insert.isEncrypted = False threat = threats["DR01"] self.assertTrue(threat.apply(insert))
def test_DO04(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = "XML" user_to_web.handlesResources = False threat = threats["DO04"] self.assertTrue(threat.apply(user_to_web))
def test_AC04(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = "XML" user_to_web.authorizesSource = False threat = threats["AC04"] self.assertTrue(threat.apply(user_to_web))
def test_AC04(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") xml = Data(name="user to web data", description="textual", format="XML") user_to_web.data = xml user_to_web.authorizesSource = False threat = threats["AC04"] self.assertTrue(threat.apply(user_to_web))
def test_DO03(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" xml = Data(name="user to web data", description="textual", format="XML") user_to_web.data = xml threat = threats["DO03"] self.assertTrue(threat.apply(user_to_web))
def test_AC22(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = Data("password", isCredentials=True, credentialsLife=Lifetime.HARDCODED) user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True threat = threats["AC22"] self.assertTrue(threat.apply(user_to_web))
def create_dataflow( source=Classification.RESTRICTED, sink=Classification.RESTRICTED, dataflow=Classification.RESTRICTED, data=Classification.RESTRICTED, define_data=True, ): source_ = Server("Source", maxClassification=source) sink_ = Datastore("Sink", maxClassification=sink) flow_ = Dataflow(source_, sink_, "Flow", maxClassification=dataflow) if define_data: flow_.data = Data("Data", classification=data) return flow_
db = Datastore("SQL Database") db.OS = "CentOS" db.isHardened = False db.inBoundary = Web_DB db.isSQL = True db.inScope = False my_lambda_to_db = Dataflow(my_lambda, db, "(λ)Periodically cleans DB") my_lambda_to_db.protocol = "SQL" my_lambda_to_db.dstPort = 3306 user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = 'Comments in HTML or Markdown' user_to_web.order = 1 user_to_web.note = "This is a note\nmulti-line" web_to_user = Dataflow(web, user, "Comments saved (*)") web_to_user.protocol = "HTTP" web_to_user.data = 'Ack of saving or error message, in JSON' web_to_user.order = 2 web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL" web_to_db.dstPort = 3306 web_to_db.data = 'MySQL insert statement, all literals' web_to_db.order = 3 web_to_db.note = "another note\nin a different place"
merchant_web.isHardened = True merchant_web.onAWS = True # web.levels = [2] stripe_api = ExternalEntity("Stripe API service") stripe_api.inBoundary = Stripe_API stripe_api.onAWS = False stripe_process = Process("Stripe Payment Service") stripe_process.inBoundary = Stripe_API customer_to_customer_client = Dataflow( customer, customer_client, "Customer logs into the merchant site (*)") customer_to_customer_client.protocol = "HTTPS" customer_to_customer_client.dstPort = 443 customer_to_customer_client.data = 'OAuth' customer_to_customer_client = Dataflow( customer, customer_client, "Customer proceeds to payment page to make a purchase (*)") customer_to_customer_client.protocol = "HTTPS" customer_to_customer_client.dstPort = 443 customer_client_to_merchant_web = Dataflow( customer_client, merchant_web, "Customer Client sends order intent, including order amount (*)") customer_client_to_merchant_web.protocol = "HTTPS" customer_client_to_merchant_web.dstPort = 443 merchant_web_to_stripe_api = Dataflow( merchant_web, stripe_api,
secretDb.isSQL = True secretDb.inScope = True secretDb.storesPII = True secretDb.maxClassification = Classification.TOP_SECRET my_lambda = Lambda("AWS Lambda") my_lambda.hasAccessControl = True my_lambda.inBoundary = vpc my_lambda.levels = [1, 2] token_user_identity = Data("Token verifying user identity", classification=Classification.SECRET) db_to_secretDb = Dataflow(db, secretDb, "Database verify real user identity") db_to_secretDb.protocol = "RDA-TCP" db_to_secretDb.dstPort = 40234 db_to_secretDb.data = token_user_identity db_to_secretDb.note = "Verifying that the user is who they say they are." db_to_secretDb.maxClassification = Classification.SECRET comments_in_text = Data("Comments in HTML or Markdown", classification=Classification.PUBLIC) user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = comments_in_text user_to_web.note = "This is a simple web app\nthat stores and retrieves user comments." web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL" web_to_db.dstPort = 3306 # this is a BAD way of defining a data object, here for a demo on how it
db = Datastore("SQL Database") db.OS = "CentOS" db.isHardened = False db.inBoundary = server_db db.isSQL = True db.inScope = True my_lambda = Lambda("AWS Lambda") my_lambda.hasAccessControl = True my_lambda.inBoundary = vpc user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = 'Comments in HTML or Markdown' user_to_web.note = "This is a simple web app\nthat stores and retrieves user comments." web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL" web_to_db.dstPort = 3306 web_to_db.data = 'MySQL insert statement, all literals' web_to_db.note = "Web server inserts user comments\ninto it's SQL query and stores them in the DB." db_to_web = Dataflow(db, web, "Retrieve comments") db_to_web.protocol = "MySQL" db_to_web.dstPort = 80 db_to_web.data = 'Web server retrieves comments from DB' db_to_web.responseTo = web_to_db web_to_user = Dataflow(web, user, "Show comments (*)")
db.isShared = False db.storesSensitiveData = False third_party = Element("3rd party services") third_party.inBoundary = internet third_party_bim = Element("3rd party BIM360 services") third_party_bim.inBoundary = internet user_to_apigee = Dataflow(user, apigee, "User sends API request to Apps service") user_to_apigee.protocol = "HTTPS" user_to_apigee.isEncrypted = True user_to_apigee.authenticatedWith = True user_to_apigee.dstPort = 443 user_to_apigee.data = 'JSON' user_to_apigee.order = 1 apigee_to_server = Dataflow(apigee, server, "Apigee forwards API request to Apps server") apigee_to_server.protocol = "HTTPS" apigee_to_server.isEncrypted = True apigee_to_server.authenticatedWith = True apigee_to_server.dstPort = 443 apigee_to_server.data = 'JSON' apigee_to_server.order = 2 server_to_third_party = Dataflow( server, third_party, "Apps server communicates with 3rd party services") server_to_third_party.authenticatedWith = True server_to_third_party.isEncrypted = True
secretDb.isSQL = True secretDb.inScope = True secretDb.storesPII = True secretDb.maxClassification = Classification.TOP_SECRET my_lambda = Lambda("AWS Lambda") my_lambda.hasAccessControl = True my_lambda.inBoundary = vpc my_lambda.levels = [1, 2] token_user_identity = Data("Token verifying user identity", classification=Classification.SECRET) db_to_secretDb = Dataflow(db, secretDb, "Database verify real user identity") db_to_secretDb.protocol = "RDA-TCP" db_to_secretDb.dstPort = 40234 db_to_secretDb.data = token_user_identity db_to_secretDb.note = "Verifying that the user is who they say they are." db_to_secretDb.maxClassification = Classification.SECRET comments_in_text = Data("Comments in HTML or Markdown", classification=Classification.PUBLIC) user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = comments_in_text user_to_web.note = "This is a simple web app\nthat stores and retrieves user comments." query_insert = Data("Insert query with comments", classification=Classification.PUBLIC) web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL"
secretDb.isHardened = True secretDb.inBoundary = server_db secretDb.isSQL = True secretDb.inScope = True secretDb.storesPII = True secretDb.maxClassification = Classification.TOP_SECRET my_lambda = Lambda("AWS Lambda") my_lambda.hasAccessControl = True my_lambda.inBoundary = vpc my_lambda.levels = [1, 2] db_to_secretDb = Dataflow(db, secretDb, "Database verify real user identity") db_to_secretDb.protocol = "RDA-TCP" db_to_secretDb.dstPort = 40234 db_to_secretDb.data = "Token to verify user identity" db_to_secretDb.note = "Verifying that the user is who they say they are." db_to_secretDb.maxClassification = Classification.SECRET user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = "Comments in HTML or Markdown" user_to_web.note = "This is a simple web app\nthat stores and retrieves user comments." web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL" web_to_db.dstPort = 3306 web_to_db.data = "MySQL insert statement, all literals" web_to_db.note = ( "Web server inserts user comments\ninto it's SQL query and stores them in the DB."