Threat modeling-as-a-Code in a Tick (TicTaaC) Lightweight and easy-to-use Threat modeling solution following DevSecOps principles

Preface

"At one point, a customer requested that we conduct threat modeling for our product. While we were familiar with the concept—having heard about it extensively from various teams—I found the available resources, such as articles and books, to be overly abstract and lacking in practical clarity. When we explored several enterprise-level solutions that purported to assist with threat modeling, we realized they were designed to support comprehensive security programs. However, our goal was far more focused: we simply wanted to generate a prioritized list of threats specific to our product so we could incorporate them into our security backlog. Nothing more, nothing less."

Anonymous Developer

Idea

The concept behind this product is straightforward: I aim to create a simple yet effective solution to address a complex problem. Ideally, it should work with a single click or command, while also offering the flexibility to integrate seamlessly into a pipeline for continuous use, if necessary. Drawing inspiration from the architecture and simplicity of dependency-check tools—and recognizing that developers have a strong preference for mapping everything in code—I developed "TicTaaC", which stands for "Threat modeling-as-a-Code in a Tick"

Usage

All the tool is needed is a data flow code file described in the yml-like format specially designed for this. The examples of these files with verbose comments describing every aspect may be found here.

Command Line

More detailed instructions can be found on the github wiki. The latest CLI can be downloaded from github in the releases section. On *nix:

$ ./bin/tic-taac.sh -h
$ ./bin/tic-taac.sh --out . --threatModel [path to threat model file(s) or folder to scan]

On Windows:

> .\bin\tic-taac.bat -h
> .\bin\tic-taac.bat --out . --threatModel [path to threat model file(s) or folder to scan]

Docker

See TicTaaC Docker Hub repository.

Quickstart on Windows:

> docker run --volume /D/threat-model:/threat-model --volume /D/report:/report rusakovichma/tic-taac:latest --threatModel /threat-model/ --out /report

*nix script:

#!/bin/sh

TT_VERSION="latest"
THREAT_MODEL_DIR=$HOME/threat-model

# Make sure we are using the latest version
docker pull rusakovichma/tic-taac:$TT_VERSION

docker run --rm \
    -e user=$USER \
    -u $(id -u ${USER}):$(id -g ${USER}) \
    --volume $THREAT_MODEL_DIR:/threat-model:z \
    --volume $(pwd)/report:/report:z \
    rusakovichma/tic-taac:$TT_VERSION \
    --threatModel /threat-model \
    --outFormat html \
    --out /report
    # Set mitigation strategy for the corresponding threats
    # see https://github.com/rusakovichma/TicTaaC/blob/master/expl/mitigations.yml 
    # --mitigations /threat-model/mitigations.yml 
    # or set the folder where scan the mitigations files: --mitigations /mitigations

Jenkins pipeline

For TicTaaC usage at Jenkins pipeline, see Jenkinsfile example.

Data Flows Examples

Generated report example

Threat Modeling Report Example

Features

[x] Automatic Data Flow generation in a report
[x] Ideal for Security Teams - it has flexible Threats Library logic customization in a separate file with special expression language support
[x] Suitable for CICD pipeline integration
[X] Setting Quality Gate that can block the product release in case if unmitigated threats are presented
[x] No required additional dependencies
[x] Special lightweight and easy-to-understand format for data flows description
[x] Automatic Threats Attack Vector & Risk Score calculation based on the data flow context
[x] Threats classification by OWASP Top 10 and Microsoft STRIDE
[x] Setting Threats mitigation strategy in one place
[x] Reporting in html or json format

License

Licensed under the Apache License version 2.0

TicTaaC

Install / Use

README