azurearchitecture / threat-model-templates Goto Github PK
View Code? Open in Web Editor NEWTemplates for the Microsoft Threat Modeling Tool
License: MIT License
Templates for the Microsoft Threat Modeling Tool
License: MIT License
Getting an error when trying to open the template in MS Threat Modelling tool.
Steps to reproduce the behavior:
It is expected that upon selecting the template, it should be loaded on the app and can be used to generate threat models.
Attaching the tmt7.exception.txt file for more information.
Is it possible to get a stencil and threats for azure front door ?
Hello,
I'm Using Microsoft Threat Modeling Tool 7.3.20120.2.
When I'm trying to select This template AzureTemplate.v5.tb7 to create a TM. Im getting this below errror.
Upon veriying error log . Stacktrace is
Threat Modeling Tool, Assembly version 'TMT7, Version=7.3.20120.2, Culture=neutral, PublicKeyToken=69c3241e6f0468ca', today is 'Wednesday, July 6, 2022 12:50:38 PM'Exception information: System.InvalidOperationException: There is an error in XML document (0, 0). ---> System.Xml.XmlException: For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method. at System.Xml.XmlTextReaderImpl.Throw(Exception e) at System.Xml.XmlTextReaderImpl.ThrowWithoutLineInfo(String res) at System.Xml.XmlTextReaderImpl.ParseDoctypeDecl() at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XmlReader.MoveToContent() at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderStandaloneKnowledgeBase.Read22_KnowledgeBase() --- End of inner exception stack trace --- at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events) at ThreatModeling.ExternalStorage.KB.StandaloneKnowledgeBase.InitializeKnowledgeBaseFromDir(String filePath) at ThreatModeling.Model.KnowledgeBaseModel.InitializeFromStandaloneKb(String ThreatBaseDir) at ThreatModeling.Model.ObjectModel.CreateBase(Boolean openDesignMode, String loadFromFilePath, Boolean browseThreatBase) at ThreatModeling.Model.ObjectModel..ctor(String loadFromFilePath, Boolean openDesignMode, Boolean IsThreatBase, Boolean browseThreatBase) at ThreatModeling.ViewModel.DashboardViewModel.BrowseThreatBase(String fileName) at ThreatModeling.ViewModel.BrowseThreatBaseCommand.OpenFile(String fileName) at ThreatModeling.ViewModel.BrowseThreatBaseCommand.ExecuteImp(Object parameter) at ThreatModeling.ViewModel.Commands.TrackedCommand.Execute(Object parameter)
Any solution or workaround for this issue ?
Thanks
Describe the bug
A threat is something that can go wrong with the current solution. It is something that in case of happening it would have an impact on the system. However, seeing the current interpretation of the Threat concept in these templates, one can see they are a little confusing since are treated as security controls. Below, I provide more details.
Naming and Describing Threats as Security Controls
Some custom threats included in these templates are redacted in a way of describing the security control that needs to be placed, instead of describing the threat.
Example
Expected behavior
Instead of describing directly what mechanism needs to be implemented in the Title and Description, describe what is the threat. The threat would be that someone is able to log in due to the application only relies on password authentication. The recommendations to handle that threat would be implementing an MFA.
Information Security and Privacy regulation as Threat properties
Information Security and Privacy regulations mandate to include specific controls across different processes at organization-level. Despite the controls required for regulations, a Threat not necessary impact them.
Example
Expected behavior
I think Information Security and Privacy Compliance analysis is different from making threat models. I would not merge both worlds, as it could extend so many the Threat Modelling process and wouldn't be useful as a Compliance Assessment at the end.
Be great if this repo also contained a bunch of examples of different Azure scenarios to help with how to create a threat model. For example there's a template for a VPN Gateway and one for MFA but can't work out how to link them.
Describe the bug
Using Azure stencils from AzureTemplate.v5.tb7, when opening a saved diagram an error occurred (below screenshot) causing diagram unable to open.
To Reproduce
Expected behavior
Diagram should open correctly without error
Desktop (please complete the following information):
Smartphone (please complete the following information):
Windows 11
It would be extremely helpful if the AzureTemplate.v3.tb file in this repo could be stored in the generic microsoft/threat-modeling-templates repo. Currently the microsoft/threat-modeling-templates contains the default template and a more legacy azure template and it would be nice to have a single repo with these templates in them.
Currently I clone the microsoft/threat-modeling-templates repo into the Microsoft Threat Modeling tool's Knowledgebase directory and this provides an easy mechanism to update the model templates. When templates are stored in multiple repos it's more complicated to manage the threat models specific to Azure.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.