Integrate a

• https://en.wikipedia.org/wiki/STRIDE_(security)
• https://web.archive.org/web/20070303103639/http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx

Implement external person.

currently an existing system like "mainframe" is not grey, but blue (because not marked as existing)

So generator must be improved

currently no boundary is rendered.

Generator must be improved

when #9 has been done we need a generator for dedicated output

Network protocols are used to communicate. Each protocol has certain properties. Properties like encrypted and how are of special interest for security practitioners. Allow to model network protocols in general and provide some common protocols and their properties.

Integrate github actions - just do a gradle build to ensure tests work

Also add some tests for example model1

Currently we should do

identifier.getId() ->id_1, id_2 ,...

when identifier has name "Admin of xyz" it would be nice to have an Id like:
"admin_of_xyz_1", "admin_of_xyz_2"

so generated output is much more readable - and maintainable...

There is a need for a github action for releases to upload directly to github packages.
So library parts are available and other projects can just include the jar.

Systems usually offer an interface which allows to access system resources. The exception are "air gaped" systems. Those systems can be attacked using physical attacks. However, "air gaped" systems are less interesting for IT security practitioners trying to secure a system against cyber attacks.

The systems which are interesting are the once allowing remote access, such as via REST API, SOAP or by any other means. Those interfaces can allow attackers access to resources. The question is, what methods are used to prevent the attacker from gaining access (passwords, 2FA etc.). Allow to model interfaces and their properties.

Currently there will be an exception for example1 model. Fix the model and add necessary getters

Draw a DFD diagram for STRIDE. The DFD diagram will be the same as C4 Context, Container… the main difference between C4 and DFD is the notation.

STRIDE requires to know what component is an external entity, data store, data flow and process. This has to be added to the model to draw the DFD diagram.

UNDER CONSTRUCTION:

Stride proposal files (empty) + description asciidoc files having includes

With the information from sttk model, we know which parts of model do correspond to which part of S T R I D E
see https://en.wikipedia.org/wiki/STRIDE_(security)

So we can generate for each of the

• External entity
• Process
• Data flow
• Data storage

dedicated, but empty asciidoc files

Example 1

sttk/common/asciidoc/common_sttk_config.adoc
/sttk/stride/asciidoc/my_webapplication/spoofing.adoc
/sttk/stride/asciidoc/my_webapplication/tampering.adoc
/sttk/stride/asciidoc/my_webapplication/repuiation.adoc
/sttk/stride/asciidoc/my_webapplication/information_disclosure.adoc

Example 2

sttk/stride/threat/spoofing-description.adoc
sttk/stride/threat/tampering-description.adoc
sttk/stride/threat/spoofing/my_webbaplication_integrity.adoc
sttk/stride/threat/tampering/my_webbaplication_authenticity.adoc
...

All of those threat asciidoc files are generated empty - and do also NOT overwrite existing files
so normally ignored by git and also when used as includes inside asciidoc

in sttk_config.adoc all identifiers are available as variables:
sttk_name_my_webapplication="My Webapplication"
sttk_desc_my_webapplication="Description of web application..."
sttk_stride_desc_r_xyz=...default_parts to describe a problem, so reusable...

When developer edits
/sttk/stride/asciidoc/my_webapplication/s.adoc
he/she will be able to write

=== {sttk_name_my_webapplication}
sttk_desc_my_webapplication
sttk_stride_desc_r_xyz

So after a new generation, all files are available.

We need a stride.adoc file which is generated and includes all files from sttk/stride/asciidoc subfolders
(when empty they will be ignored by asciidoc)