Skip to content

Instantly share code, notes, and snippets.

@jmarcil jmarcil/rentingcar.plantuml Secret
Created May 16, 2019

Embed
What would you like to do?
threat modeling workshop renting car system
@startuml
skinparam monochrome true
skinparam defaultTextAlignment center
' Root nodes
agent "Steal Car" as goalsteal
agent "Disrupt business operations" as goaldisrupt
' Sub goals
agent "Make car unrentable" as goaldos
agent "Rent all car" as goalrentall
goaldisrupt --> goaldos
goaldisrupt --> goalrentall
agent "DoS car rentals" as dosrentals
goaldos --> dosrentals
agent "Break Cars" as breakcars
agent "DoS API Gateway" as dosapi
agent "Mess with mobile app" as messmobile
dosrentals --> breakcars
' This is a good opportunity to try refactoring for better view
' Try changing the following ---> to --> and see how it looks
dosrentals ---> dosapi
dosrentals --> messmobile
agent "Crash Mobile App" as crashmobile
messmobile --> crashmobile
agent "Get App Removed from App Store" as removestore
messmobile --> removestore
agent "DDoS with many requests" as ddosreq
agent "Screw certificates" as screwcerts
agent "Gain Access to system" as gainsysaccess
dosapi --> ddosreq
dosapi --> screwcerts
dosapi --> gainsysaccess
agent "Steal admin credentials" as stealadmincreds
gainsysaccess --> stealadmincreds
agent "(todo)" as detailsadminscred
stealadmincreds --> detailsadminscred
agent "SF Style" as sfstyle
goalsteal --> sfstyle
cloud "**иии**" as cloud1
sfstyle --> cloud1
interface "and" as and1
goalsteal --> and1
agent "Unlock Car" as unlockcar
agent "Start Engine" as startengine
and1 --> unlockcar
and1 --> startengine
agent "Gain Car Owner Access" as gainowner
unlockcar --> gainowner
startengine --> gainowner
agent "Get Owner Credentials" as getocreds
gainowner --> getocreds
gainowner --> gainsysaccess
agent "Steal creds from owner" as stealcreds
getocreds --> stealcreds
agent "Ask nicely" as nicely
getocreds --> nicely
agent "Bluetooth snarfing" as snarf
stealcreds --> snarf
agent "Evil Twin" as eviltwin
stealcreds --> eviltwin
agent "Lack of transport crypto" as lackbcrypto
snarf --> lackbcrypto
@enduml
#!/usr/bin/env python3
from pytm import *
tm = TM("Renting Car Startup Flow Diagram")
tm.description = "This is a threat model made in the Threat Modeling Workshop."
owner = Actor("Owner Phone")
customer = Actor("Customer Phone")
ownz = Server("Ownz Mobile")
cadz = Server("Cadz Mobile")
apigw = Server("API Gateway")
auth = Server("Auth")
conncar = SetOfProcesses("Connected Car")
abc = Server("ABC")
api = Server("API")
apiar = Server("API AR")
apiai = Server("API AI")
apiamfm = Server("API AM/FM")
unsure = Process("?")
# todo change this for a cloud?
watson = ExternalEntity("Watson")
flatfile = Datastore("Flatfile radio stations")
carsdb = Datastore("Cars DB")
insidecar = Boundary("Inside the car")
dmz = Boundary("DMZ")
prod = Boundary(" ")
for process in [conncar, cadz, abc, customer]:
process.inBoundary = insidecar
apiai.inBoundary = dmz
for process in [apigw, api, apiar, apiamfm, auth, flatfile, carsdb, unsure]:
process.inBoundary = prod
owner2ownz = Dataflow(owner, ownz, "Launch")
customer2cadz = Dataflow(customer, cadz, "Launch")
ownz2apigw = Dataflow(ownz, apigw, "HTTPS")
cadz2apigw = Dataflow(cadz, apigw, "HTTPS")
apigw2apiai = Dataflow(apigw, apiai, "HTTP")
apigw2apiamfm = Dataflow(apigw, apiamfm, "SSH")
apigw2apiar = Dataflow(apigw, apiar, "HTTP/2")
apigw2api = Dataflow(apigw, api, "HTTP")
api2carsdb = Dataflow(api, carsdb, " ")
apiaamfm2flatfile = Dataflow(apiamfm, flatfile, " ")
apiai2watson = Dataflow(apiai, watson, " ")
apigw2auth = Dataflow(apigw, auth, "Kerberos")
apiar2unsure = Dataflow(apiar, unsure, " ")
conncar2abc = Dataflow(conncar, abc, " ")
abc2carsdb = Dataflow(abc, carsdb, " ")
conncar2cadz = Dataflow(conncar, cadz, "Bluetooth")
tm.process()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.