-
-
Notifications
You must be signed in to change notification settings - Fork 364
Threat Model File (TMF) format
Threat Model File (TMF) format has been superseded by the TM-BOM format described in the OWASP Threat Model Library project:
https://github.com/OWASP/www-project-threat-model-library/tree/v1.0.0
https://owasp.org/www-project-threat-model-library
and can now be closed
The Threat Model File (TMF) format is intended to define how to store threat models so that they can be used by many threat modeling tools.
The file format used in Threat Dragon versions 1.x and 2.x are incompatible with other open source Threat Modeling files such as pytm, Threagile and Open Threat Model. It would be good to define a schema that is flexible enough to easily convert from the existing:
- OWASP Threat Dragon versions 1.x and 2.x
- OWASP pytm pythonic threat modeling
- Threagile Agile threat modeling toolkit
- Open Threat Model (OTM)
Referencing DFD3, the elements of a threat model can be categorized :
- An external entity, a person or running code outside the control of the system being modeled
- A process within the control of the system being modeled
- A data store denoting data at rest
- A data flow denoting data in transit
- A trust boundary demarking areas that are trusted more or less
Complex processes are regarded as an attribute of a process.
Text based tools such as pytm (python) and Threagile (yaml) will export the model as a Data Flow Diagram (DFD), so the use of DFD3 to define the fundamental elements of a threat model is valid.
A model consisting of elements can be analyzed to create threat information. Based on pytm and Threagile the categories of the threat information are:
- Questions
- Assumptions
- Risks
The use of DFD3 by TMF requires a 1:1 mapping of the elements in existing tools to the TMF elements. This works both ways - when importing a file into TMF and also when exporting a file from TMF.
| Element | TMF Mapping | Required Attributes | Comments |
|---|---|---|---|
| Process | Process | position, size | |
| Store | Data store | position, size | |
| Actor | External entity | position, size | |
| Data flow | Data flow | source, target, vertices | |
| Trust box | Trust boundary | position, size | |
| Trust curve | Custom. | end points, vertices | can be rendered as a closed box |
| Text | Custom | position | rendering optional in other tools |
| Element | TMF Mapping | Required Attributes | Comments |
|---|---|---|---|
| Server | Custom | position, size, server | render as process in other tools |
| ExternalEntity | External entity | position, size | |
| Dataflow | Data flow | source, target, vertices | |
| Datastore | Data store | position, size | |
| Actor | External entity | position, size | |
| Process | Process | position, size | |
| SetOfProcesses | Process | position, size, system | |
| Boundary | Trust boundary | position, size | |
| Lambda | Custom | position, size, lambda | render as process in other tools |
| Element | TMF Mapping | Required Attributes | Comments |
|---|---|---|---|
| dataflows | Data flow | source, target, vertices | |
| assets | Data store | position, size | |
| External entity | position, size | OTM has no external entities / actors | |
| components | Process | position, size | |
| trustZones | Trust boundary | position, size |
The outcomes/findings from the threat model need to be mapped to a common format. These can be vulnerabilities, threats, remediations, questions, and more
| Finding | TMF Mapping | Required Attributes | Comments |
|---|---|---|---|
| Threat | Finding | ||
| Threat | |||
| TM | |||
| Data |
The metadata is not an essential part of the model but provides for administration. It includes information such as version, title, overview/description, etc
| Metadata | TMF Mapping | Required Attributes | Comments |
|---|---|---|---|
| version | tmfVersion | ||
| summary | Project |
TMF: common threat model file format