def test_CR08(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.usesLatestTLSversion = False threat = threats["CR08"] self.assertTrue(threat.apply(user_to_web))
def test_DE01(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.isEncrypted = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DE01")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_CR07(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.data = "XML" threat = threats["CR07"] self.assertTrue(threat.apply(user_to_web))
def test_DE01(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.isEncrypted = False threat = threats["DE01"] self.assertTrue(threat.apply(user_to_web))
def test_AC05(self): process1 = Process("Process1") web = Server("Web Server") process1.authenticatesDestination = False proc_to_web = Dataflow(process1, web, "Process calls a web API") proc_to_web.protocol = "HTTPS" proc_to_web.isEncrypted = True threat = threats["AC05"] self.assertTrue(threat.apply(proc_to_web))
def test_DO03(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" xml = Data(name="user to web data", description="textual", format="XML") user_to_web.data = xml threat = threats["DO03"] self.assertTrue(threat.apply(user_to_web))
def test_CR08(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.usesLatestTLSversion = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "CR08")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_CR06(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.usesVPN = False user_to_web.implementsAuthenticationScheme = False user_to_web.authorizesSource = False threat = threats["CR06"] self.assertTrue(threat.apply(user_to_web))
def test_CR08(self): user = Actor("User") web = Server("Web Server") web.minTLSVersion = TLSVersion.TLSv11 user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True user_to_web.tlsVersion = TLSVersion.SSLv3 threat = threats["CR08"] self.assertTrue(threat.apply(user_to_web))
def test_AC22(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = Data("password", isCredentials=True, credentialsLife=Lifetime.HARDCODED) user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True threat = threats["AC22"] self.assertTrue(threat.apply(user_to_web))
def test_CR06(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.usesVPN = False user_to_web.implementsAuthenticationScheme = False user_to_web.authorizesSource = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "CR06")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_CR01(self): user = Actor("User") web = Server("Web Server") web.protocol = "HTTP" web.usesVPN = False web.usesSessionTokens = True user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.usesVPN = False user_to_web.usesSessionTokens = True threat = threats["CR01"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(user_to_web))
def test_CR01(self): user = Actor("User") web = Server("Web Server") web.protocol = 'HTTP' web.usesVPN = False web.usesSessionTokens = True user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.usesVPN = False user_to_web.usesSessionTokens = True ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "CR01")) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(user_to_web))
def test_AC10(self): user = Actor("User") web = Server("Web Server") web.minTLSVersion = TLSVersion.TLSv11 web.implementsAuthenticationScheme = False web.authorizesSource = False user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True user_to_web.tlsVersion = TLSVersion.SSLv3 web.inputs = [user_to_web] threat = threats["AC10"] self.assertTrue(threat.apply(web))
def test_CR02(self): user = Actor("User") web = Server("Web Server") web.protocol = 'HTTP' web.sanitizesInput = False web.validatesInput = False web.usesSessionTokens = True user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.sanitizesInput = False user_to_web.validatesInput = False user_to_web.usesSessionTokens = True threat = threats["CR02"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(user_to_web))
web.encodesOutput = True web.authorizesSource = False db = Datastore("SQL Database") db.OS = "CentOS" db.isHardened = False db.inBoundary = server_db db.isSQL = True db.inScope = True my_lambda = Lambda("AWS Lambda") my_lambda.hasAccessControl = True my_lambda.inBoundary = vpc user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = 'Comments in HTML or Markdown' user_to_web.note = "This is a simple web app\nthat stores and retrieves user comments." web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL" web_to_db.dstPort = 3306 web_to_db.data = 'MySQL insert statement, all literals' web_to_db.note = "Web server inserts user comments\ninto it's SQL query and stores them in the DB." db_to_web = Dataflow(db, web, "Retrieve comments") db_to_web.protocol = "MySQL" db_to_web.dstPort = 80 db_to_web.data = 'Web server retrieves comments from DB' db_to_web.responseTo = web_to_db
redis.inBoundary = cache_boundary redis.isSQL = False redis.inScope = True db.onAWS = True db.isShared = False db.storesSensitiveData = False third_party = Element("3rd party services") third_party.inBoundary = internet third_party_bim = Element("3rd party BIM360 services") third_party_bim.inBoundary = internet user_to_apigee = Dataflow(user, apigee, "User sends API request to Apps service") user_to_apigee.protocol = "HTTPS" user_to_apigee.isEncrypted = True user_to_apigee.authenticatedWith = True user_to_apigee.dstPort = 443 user_to_apigee.data = 'JSON' user_to_apigee.order = 1 apigee_to_server = Dataflow(apigee, server, "Apigee forwards API request to Apps server") apigee_to_server.protocol = "HTTPS" apigee_to_server.isEncrypted = True apigee_to_server.authenticatedWith = True apigee_to_server.dstPort = 443 apigee_to_server.data = 'JSON' apigee_to_server.order = 2
secretDb.isHardened = True secretDb.inBoundary = server_db secretDb.isSQL = True secretDb.inScope = True secretDb.storesPII = True secretDb.maxClassification = Classification.TOP_SECRET my_lambda = Lambda("AWS Lambda") my_lambda.hasAccessControl = True my_lambda.inBoundary = vpc my_lambda.levels = [1, 2] token_user_identity = Data("Token verifying user identity", classification=Classification.SECRET) db_to_secretDb = Dataflow(db, secretDb, "Database verify real user identity") db_to_secretDb.protocol = "RDA-TCP" db_to_secretDb.dstPort = 40234 db_to_secretDb.data = token_user_identity db_to_secretDb.note = "Verifying that the user is who they say they are." db_to_secretDb.maxClassification = Classification.SECRET comments_in_text = Data("Comments in HTML or Markdown", classification=Classification.PUBLIC) user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.dstPort = 80 user_to_web.data = comments_in_text user_to_web.note = "This is a simple web app\nthat stores and retrieves user comments." web_to_db = Dataflow(web, db, "Insert query with comments") web_to_db.protocol = "MySQL"
merchant_web.inBoundary = Merchant_Web merchant_web.OS = "Ubuntu" merchant_web.isHardened = True merchant_web.onAWS = True # web.levels = [2] stripe_api = ExternalEntity("Stripe API service") stripe_api.inBoundary = Stripe_API stripe_api.onAWS = False stripe_process = Process("Stripe Payment Service") stripe_process.inBoundary = Stripe_API customer_to_customer_client = Dataflow( customer, customer_client, "Customer logs into the merchant site (*)") customer_to_customer_client.protocol = "HTTPS" customer_to_customer_client.dstPort = 443 customer_to_customer_client.data = 'OAuth' customer_to_customer_client = Dataflow( customer, customer_client, "Customer proceeds to payment page to make a purchase (*)") customer_to_customer_client.protocol = "HTTPS" customer_to_customer_client.dstPort = 443 customer_client_to_merchant_web = Dataflow( customer_client, merchant_web, "Customer Client sends order intent, including order amount (*)") customer_client_to_merchant_web.protocol = "HTTPS" customer_client_to_merchant_web.dstPort = 443