-
-
Save jmarcil/9702f5fa85d53af225ba4ca88bdd9c9e to your computer and use it in GitHub Desktop.
threat modeling workshop renting car system
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@startuml | |
skinparam monochrome true | |
skinparam defaultTextAlignment center | |
' Root nodes | |
agent "Steal Car" as goalsteal | |
agent "Disrupt business operations" as goaldisrupt | |
' Sub goals | |
agent "Make car unrentable" as goaldos | |
agent "Rent all car" as goalrentall | |
goaldisrupt --> goaldos | |
goaldisrupt --> goalrentall | |
agent "DoS car rentals" as dosrentals | |
goaldos --> dosrentals | |
agent "Break Cars" as breakcars | |
agent "DoS API Gateway" as dosapi | |
agent "Mess with mobile app" as messmobile | |
dosrentals --> breakcars | |
' This is a good opportunity to try refactoring for better view | |
' Try changing the following ---> to --> and see how it looks | |
dosrentals ---> dosapi | |
dosrentals --> messmobile | |
agent "Crash Mobile App" as crashmobile | |
messmobile --> crashmobile | |
agent "Get App Removed from App Store" as removestore | |
messmobile --> removestore | |
agent "DDoS with many requests" as ddosreq | |
agent "Screw certificates" as screwcerts | |
agent "Gain Access to system" as gainsysaccess | |
dosapi --> ddosreq | |
dosapi --> screwcerts | |
dosapi --> gainsysaccess | |
agent "Steal admin credentials" as stealadmincreds | |
gainsysaccess --> stealadmincreds | |
agent "(todo)" as detailsadminscred | |
stealadmincreds --> detailsadminscred | |
agent "SF Style" as sfstyle | |
goalsteal --> sfstyle | |
cloud "**иии**" as cloud1 | |
sfstyle --> cloud1 | |
interface "and" as and1 | |
goalsteal --> and1 | |
agent "Unlock Car" as unlockcar | |
agent "Start Engine" as startengine | |
and1 --> unlockcar | |
and1 --> startengine | |
agent "Gain Car Owner Access" as gainowner | |
unlockcar --> gainowner | |
startengine --> gainowner | |
agent "Get Owner Credentials" as getocreds | |
gainowner --> getocreds | |
gainowner --> gainsysaccess | |
agent "Steal creds from owner" as stealcreds | |
getocreds --> stealcreds | |
agent "Ask nicely" as nicely | |
getocreds --> nicely | |
agent "Bluetooth snarfing" as snarf | |
stealcreds --> snarf | |
agent "Evil Twin" as eviltwin | |
stealcreds --> eviltwin | |
agent "Lack of transport crypto" as lackbcrypto | |
snarf --> lackbcrypto | |
@enduml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from pytm import * | |
tm = TM("Renting Car Startup Flow Diagram") | |
tm.description = "This is a threat model made in the Threat Modeling Workshop." | |
owner = Actor("Owner Phone") | |
customer = Actor("Customer Phone") | |
ownz = Server("Ownz Mobile") | |
cadz = Server("Cadz Mobile") | |
apigw = Server("API Gateway") | |
auth = Server("Auth") | |
conncar = SetOfProcesses("Connected Car") | |
abc = Server("ABC") | |
api = Server("API") | |
apiar = Server("API AR") | |
apiai = Server("API AI") | |
apiamfm = Server("API AM/FM") | |
unsure = Process("?") | |
# todo change this for a cloud? | |
watson = ExternalEntity("Watson") | |
flatfile = Datastore("Flatfile radio stations") | |
carsdb = Datastore("Cars DB") | |
insidecar = Boundary("Inside the car") | |
dmz = Boundary("DMZ") | |
prod = Boundary(" ") | |
for process in [conncar, cadz, abc, customer]: | |
process.inBoundary = insidecar | |
apiai.inBoundary = dmz | |
for process in [apigw, api, apiar, apiamfm, auth, flatfile, carsdb, unsure]: | |
process.inBoundary = prod | |
owner2ownz = Dataflow(owner, ownz, "Launch") | |
customer2cadz = Dataflow(customer, cadz, "Launch") | |
ownz2apigw = Dataflow(ownz, apigw, "HTTPS") | |
cadz2apigw = Dataflow(cadz, apigw, "HTTPS") | |
apigw2apiai = Dataflow(apigw, apiai, "HTTP") | |
apigw2apiamfm = Dataflow(apigw, apiamfm, "SSH") | |
apigw2apiar = Dataflow(apigw, apiar, "HTTP/2") | |
apigw2api = Dataflow(apigw, api, "HTTP") | |
api2carsdb = Dataflow(api, carsdb, " ") | |
apiaamfm2flatfile = Dataflow(apiamfm, flatfile, " ") | |
apiai2watson = Dataflow(apiai, watson, " ") | |
apigw2auth = Dataflow(apigw, auth, "Kerberos") | |
apiar2unsure = Dataflow(apiar, unsure, " ") | |
conncar2abc = Dataflow(conncar, abc, " ") | |
abc2carsdb = Dataflow(abc, carsdb, " ") | |
conncar2cadz = Dataflow(conncar, cadz, "Bluetooth") | |
tm.process() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment