From 1f59f8756e2f1283b5611ca84aa091b151d865b7 Mon Sep 17 00:00:00 2001 From: Joerg Reichelt Date: Tue, 20 Feb 2024 02:56:17 -0800 Subject: [PATCH] removed temp files --- parsed-model.json | 5158 --------------------------------------------- parsed-model.yaml | 4331 ------------------------------------- 2 files changed, 9489 deletions(-) delete mode 100644 parsed-model.json delete mode 100644 parsed-model.yaml diff --git a/parsed-model.json b/parsed-model.json deleted file mode 100644 index c1544615..00000000 --- a/parsed-model.json +++ /dev/null @@ -1,5158 +0,0 @@ -{ - "threagile_version": "1.0.0", - "title": "Some Example Application", - "author": { - "name": "John Doe", - "homepage": "www.example.com" - }, - "date": "2020-07-01", - "application_description": {}, - "business_overview": { - "description": "Some more \u003ci\u003edemo text\u003c/i\u003e here and even images..." - }, - "technical_overview": { - "description": "Some more \u003ci\u003edemo text\u003c/i\u003e here and even images..." - }, - "business_criticality": "important", - "management_summary_comment": "Just some \u003cb\u003emore\u003c/b\u003e custom summary possible here...\n", - "security_requirements": { - "EU-DSGVO": "Mandatory EU-Datenschutzgrundverordnung", - "Input Validation": "Strict input validation is required to reduce the overall attack surface.", - "Securing Administrative Access": "Administrative access must be secured with strong encryption and multi-factor authentication." - }, - "questions": { - "How are the admin clients managed/protected against compromise?": "", - "How are the build pipeline components managed/protected against compromise?": "Managed by XYZ\n", - "How are the development clients managed/protected against compromise?": "Managed by XYZ\n" - }, - "abuse_cases": { - "CPU-Cycle Theft": "As a hacker I want to steal CPU cycles in order to transform them into money via installed crypto currency miners.\n", - "Contract Filesystem Compromise": "As a hacker I want to access the filesystem storing the contract PDFs in order to steal/modify contract data.\n", - "Cross-Site Scripting Attacks": "As a hacker I want to execute Cross-Site Scripting (XSS) and similar attacks in order to takeover victim sessions and cause reputational damage.\n", - "Database Compromise": "As a hacker I want to access the database backend of the ERP-System in order to steal/modify sensitive business data.\n", - "Denial-of-Service": "As a hacker I want to disturb the functionality of the backend system in order to cause indirect financial damage via unusable features.\n", - "Denial-of-Service of ERP/DB Functionality": "As a hacker I want to disturb the functionality of the ERP system and/or it's database in order to cause indirect financial damage via unusable internal ERP features (not related to customer portal).\n", - "Denial-of-Service of End-User Functionality": "As a hacker I want to disturb the functionality of the end-user parts of the application in order to cause direct financial damage (lower sales).\n", - "ERP-System Compromise": "As a hacker I want to access the ERP-System in order to steal/modify sensitive business data.\n", - "Identity Theft": "As a hacker I want to steal identity data in order to reuse credentials and/or keys on other targets of the same company or outside.\n", - "PII Theft": "As a hacker I want to steal PII (Personally Identifiable Information) data in order to blackmail the company and/or damage their repudiation by publishing them.\n", - "Ransomware": "As a hacker I want to encrypt the storage and file systems in order to demand ransom.\n" - }, - "tags_available": [ - "linux", - "apache", - "mysql", - "jboss", - "keycloak", - "jenkins", - "git", - "oracle", - "some-erp", - "vmware", - "aws", - "aws:ec2", - "aws:s3" - ], - "data_assets": { - "build-job-config": { - "id": "build-job-config", - "title": "Build Job Config", - "description": "Data for customizing of the build job system.", - "usage": "devops", - "origin": "Company XYZ", - "owner": "Company XYZ", - "confidentiality": "restricted", - "integrity": "critical", - "availability": "operational", - "justification_cia_rating": "Data for customizing of the build job system.\n" - }, - "client-application-code": { - "id": "client-application-code", - "title": "Client Application Code", - "description": "Angular and other client-side code delivered by the application.", - "usage": "devops", - "origin": "Company ABC", - "owner": "Company ABC", - "integrity": "critical", - "availability": "important", - "justification_cia_rating": "The integrity of the public data is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to keep the growth rate of the customer base steady.\n" - }, - "contract-summaries": { - "id": "contract-summaries", - "title": "Customer Contract Summaries", - "description": "Customer Contract Summaries", - "origin": "Customer", - "owner": "Company XYZ", - "confidentiality": "restricted", - "integrity": "operational", - "availability": "operational", - "justification_cia_rating": "Just some summaries.\n" - }, - "customer-accounts": { - "id": "customer-accounts", - "title": "Customer Accounts", - "description": "Customer Accounts (including transient credentials when entered for checking them)", - "origin": "Customer", - "owner": "Company XYZ", - "quantity": "many", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "Customer account data for using the portal are required to be available to offer the portal functionality.\n" - }, - "customer-contracts": { - "id": "customer-contracts", - "title": "Customer Contracts", - "description": "Customer Contracts (PDF)", - "origin": "Customer", - "owner": "Company XYZ", - "quantity": "many", - "confidentiality": "confidential", - "integrity": "critical", - "availability": "operational", - "justification_cia_rating": "Contract data might contain financial data as well as personally identifiable information (PII). The integrity and availability of contract data is required for clearing payment disputes.\n" - }, - "customer-operational-data": { - "id": "customer-operational-data", - "title": "Customer Operational Data", - "description": "Customer Operational Data", - "origin": "Customer", - "owner": "Company XYZ", - "quantity": "many", - "confidentiality": "confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "Customer operational data for using the portal are required to be available to offer the portal functionality and are used in the backend transactions.\n" - }, - "db-dumps": { - "id": "db-dumps", - "title": "Database Customizing and Dumps", - "description": "Data for customizing of the DB system, which might include full database dumps.", - "usage": "devops", - "tags": [ - "oracle" - ], - "origin": "Company XYZ", - "owner": "Company XYZ", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "Data for customizing of the DB system, which might include full database dumps.\n" - }, - "erp-customizing": { - "id": "erp-customizing", - "title": "ERP Customizing Data", - "description": "Data for customizing of the ERP system.", - "usage": "devops", - "origin": "Company XYZ", - "owner": "Company XYZ", - "confidentiality": "confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "Data for customizing of the ERP system.\n" - }, - "erp-logs": { - "id": "erp-logs", - "title": "ERP Logs", - "description": "Logs generated by the ERP system.", - "usage": "devops", - "origin": "Company XYZ", - "owner": "Company XYZ", - "quantity": "many", - "confidentiality": "restricted", - "justification_cia_rating": "Logs should not contain PII data and are only required for failure analysis, i.e. they are not considered as hard transactional logs.\n" - }, - "internal-business-data": { - "id": "internal-business-data", - "title": "Some Internal Business Data", - "description": "Internal business data of the ERP system used unrelated to the customer-facing processes.", - "origin": "Company XYZ", - "owner": "Company XYZ", - "quantity": "few", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "Data used and/or generated during unrelated other usecases of the ERP-system (when used also by Company XYZ for internal non-customer-portal-related stuff).\n" - }, - "marketing-material": { - "id": "marketing-material", - "title": "Marketing Material", - "description": "Website and marketing data to inform potential customers and generate new leads.", - "usage": "devops", - "origin": "Company ABC", - "owner": "Company ABC", - "integrity": "important", - "availability": "important", - "justification_cia_rating": "The integrity of the public data is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to keep the growth rate of the customer base steady.\n" - }, - "server-application-code": { - "id": "server-application-code", - "title": "Server Application Code", - "description": "API and other server-side code of the application.", - "usage": "devops", - "origin": "Company ABC", - "owner": "Company ABC", - "confidentiality": "internal", - "integrity": "mission-critical", - "availability": "important", - "justification_cia_rating": "The integrity of the API code is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to keep the growth rate of the customer base steady.\n" - } - }, - "technical_assets": { - "apache-webserver": { - "id": "apache-webserver", - "title": "Apache Webserver", - "description": "Apache Webserver hosting the API code and client-side code", - "type": "process", - "size": "application", - "technology": "web-server", - "machine": "container", - "custom_developed_parts": true, - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "mission-critical", - "availability": "critical", - "justification_cia_rating": "The correct configuration and reachability of the web server is mandatory for all customer usages of the portal.\n", - "tags": [ - "linux", - "apache", - "aws:ec2" - ], - "data_assets_processed": [ - "client-application-code", - "server-application-code", - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "internal-business-data" - ], - "data_assets_stored": [ - "client-application-code", - "server-application-code" - ], - "data_formats_accepted": [ - "json", - "file" - ], - "communication_links": [ - { - "id": "apache-webserver\u003eerp-system-traffic", - "source_id": "apache-webserver", - "target_id": "erp-system", - "title": "ERP System Traffic", - "description": "Link to the ERP system", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "apache-webserver\u003eauth-credential-check-traffic", - "source_id": "apache-webserver", - "target_id": "identity-provider", - "title": "Auth Credential Check Traffic", - "description": "Link to the identity provider server", - "protocol": "https", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 60.6120919375654 - }, - "backend-admin-client": { - "id": "backend-admin-client", - "title": "Backend Admin Client", - "description": "Backend admin client", - "usage": "devops", - "size": "component", - "technology": "browser", - "out_of_scope": true, - "used_as_client_by_human": true, - "justification_out_of_scope": "Owned and managed by ops provider", - "owner": "Company XYZ", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "The client used by Company XYZ to administer the system.\n", - "data_assets_processed": [ - "erp-logs", - "erp-customizing", - "db-dumps", - "customer-accounts", - "customer-operational-data" - ], - "communication_links": [ - { - "id": "backend-admin-client\u003eerp-web-access", - "source_id": "backend-admin-client", - "target_id": "erp-system", - "title": "ERP Web Access", - "description": "Link to the ERP system (Web)", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "erp-customizing" - ], - "data_assets_received": [ - "erp-logs" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backend-admin-client\u003edb-update-access", - "source_id": "backend-admin-client", - "target_id": "sql-database", - "title": "DB Update Access", - "description": "Link to the database (JDBC tunneled via SSH)", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "db-dumps" - ], - "data_assets_received": [ - "db-dumps", - "erp-logs", - "customer-accounts", - "customer-operational-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backend-admin-client\u003euser-management-access", - "source_id": "backend-admin-client", - "target_id": "ldap-auth-server", - "title": "User Management Access", - "description": "Link to the LDAP auth server for managing users", - "protocol": "ldaps", - "authentication": "credentials", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "customer-accounts" - ], - "data_assets_received": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 1 - }, - "backoffice-client": { - "id": "backoffice-client", - "title": "Backoffice Client", - "description": "Backoffice client", - "size": "component", - "technology": "desktop", - "out_of_scope": true, - "used_as_client_by_human": true, - "justification_out_of_scope": "Owned and managed by Company XYZ company", - "owner": "Company XYZ", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "The client used by Company XYZ to administer and use the system.\n", - "data_assets_processed": [ - "customer-contracts", - "internal-business-data", - "erp-logs", - "marketing-material" - ], - "communication_links": [ - { - "id": "backoffice-client\u003emarketing-cms-editing", - "source_id": "backoffice-client", - "target_id": "marketing-cms", - "title": "Marketing CMS Editing", - "description": "Link to the CMS for editing content", - "protocol": "https", - "vpn": true, - "authentication": "token", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "marketing-material" - ], - "data_assets_received": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backoffice-client\u003eerp-internal-access", - "source_id": "backoffice-client", - "target_id": "erp-system", - "title": "ERP Internal Access", - "description": "Link to the ERP system", - "protocol": "https", - "tags": [ - "some-erp" - ], - "vpn": true, - "authentication": "token", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "internal-business-data" - ], - "data_assets_received": [ - "customer-contracts", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 1 - }, - "contract-file-server": { - "id": "contract-file-server", - "title": "Contract Fileserver", - "description": "NFS Filesystem for storing the contract PDFs", - "type": "datastore", - "size": "component", - "technology": "file-server", - "machine": "virtual", - "owner": "Company ABC", - "confidentiality": "confidential", - "integrity": "critical", - "availability": "important", - "justification_cia_rating": "Contract data might contain financial data as well as personally identifiable information (PII). The integrity and availability of contract data is required for clearing payment disputes. The filesystem is also required to be available for storing new contracts of freshly generated customers.\n", - "tags": [ - "linux", - "aws:s3" - ], - "data_assets_processed": [ - "customer-contracts", - "contract-summaries" - ], - "data_assets_stored": [ - "customer-contracts", - "contract-summaries" - ], - "data_formats_accepted": [ - "file" - ], - "raa": 33.2657200811359 - }, - "customer-client": { - "id": "customer-client", - "title": "Customer Web Client", - "description": "Customer Web Client", - "size": "component", - "technology": "browser", - "internet": true, - "out_of_scope": true, - "used_as_client_by_human": true, - "justification_out_of_scope": "Owned and managed by end-user customer", - "owner": "Customer", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "The client used by the customer to access the system.\n", - "data_assets_processed": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code", - "marketing-material" - ], - "communication_links": [ - { - "id": "customer-client\u003ecustomer-traffic", - "source_id": "customer-client", - "target_id": "load-balancer", - "title": "Customer Traffic", - "description": "Link to the load balancer", - "protocol": "https", - "authentication": "session-id", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code", - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 1 - }, - "erp-system": { - "id": "erp-system", - "title": "Backoffice ERP System", - "description": "ERP system", - "type": "process", - "technology": "erp", - "machine": "virtual", - "redundant": true, - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "mission-critical", - "availability": "mission-critical", - "justification_cia_rating": "The ERP system contains business-relevant sensitive data for the leasing processes and eventually also for other Company XYZ internal processes.\n", - "tags": [ - "linux" - ], - "data_assets_processed": [ - "erp-logs", - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "internal-business-data", - "erp-customizing" - ], - "data_assets_stored": [ - "erp-logs" - ], - "data_formats_accepted": [ - "xml", - "file", - "serialization" - ], - "communication_links": [ - { - "id": "erp-system\u003edatabase-traffic", - "source_id": "erp-system", - "target_id": "sql-database", - "title": "Database Traffic", - "description": "Link to the DB system", - "protocol": "jdbc", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "erp-system\u003enfs-filesystem-access", - "source_id": "erp-system", - "target_id": "contract-file-server", - "title": "NFS Filesystem Access", - "description": "Link to the file system", - "protocol": "nfs", - "data_assets_sent": [ - "customer-contracts" - ], - "data_assets_received": [ - "customer-contracts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 62.062039616154216 - }, - "external-dev-client": { - "id": "external-dev-client", - "title": "External Development Client", - "description": "External developer client", - "usage": "devops", - "technology": "devops-client", - "internet": true, - "multi_tenant": true, - "out_of_scope": true, - "used_as_client_by_human": true, - "justification_out_of_scope": "Owned and managed by external developers", - "owner": "External Developers", - "confidentiality": "confidential", - "integrity": "mission-critical", - "availability": "important", - "justification_cia_rating": "The clients used by external developers to create parts of the application code.\n", - "tags": [ - "linux" - ], - "data_assets_processed": [ - "client-application-code", - "server-application-code", - "build-job-config" - ], - "data_assets_stored": [ - "client-application-code", - "server-application-code" - ], - "data_formats_accepted": [ - "file" - ], - "communication_links": [ - { - "id": "external-dev-client\u003egit-repo-code-write-access", - "source_id": "external-dev-client", - "target_id": "git-repo", - "title": "Git-Repo Code Write Access", - "description": "Link to the Git repo", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "external-dev-client\u003egit-repo-web-ui-access", - "source_id": "external-dev-client", - "target_id": "git-repo", - "title": "Git-Repo Web-UI Access", - "description": "Link to the Git repo", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "external-dev-client\u003ejenkins-web-ui-access", - "source_id": "external-dev-client", - "target_id": "jenkins-build-server", - "title": "Jenkins Web-UI Access", - "description": "Link to the Jenkins build server", - "protocol": "https", - "authentication": "credentials", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "build-job-config" - ], - "data_assets_received": [ - "build-job-config" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 1 - }, - "git-repo": { - "id": "git-repo", - "title": "Git Repository", - "description": "Git repository server", - "usage": "devops", - "type": "process", - "technology": "sourcecode-repository", - "machine": "virtual", - "multi_tenant": true, - "owner": "Company ABC", - "confidentiality": "confidential", - "integrity": "mission-critical", - "availability": "important", - "justification_cia_rating": "The code repo pipeline might contain sensitive configuration values like backend credentials, certificates etc. and is therefore rated as confidential.\n", - "tags": [ - "linux", - "git" - ], - "data_assets_processed": [ - "client-application-code", - "server-application-code" - ], - "data_assets_stored": [ - "client-application-code", - "server-application-code" - ], - "data_formats_accepted": [ - "file" - ], - "raa": 31.49087221095335 - }, - "identity-provider": { - "id": "identity-provider", - "title": "Identity Provider", - "description": "Identity provider server", - "type": "process", - "size": "component", - "technology": "identity-provider", - "machine": "virtual", - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "The auth data of the application\n", - "tags": [ - "linux", - "jboss", - "keycloak" - ], - "data_assets_processed": [ - "customer-accounts" - ], - "communication_links": [ - { - "id": "identity-provider\u003eldap-credential-check-traffic", - "source_id": "identity-provider", - "target_id": "ldap-auth-server", - "title": "LDAP Credential Check Traffic", - "description": "Link to the LDAP server", - "protocol": "ldaps", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 40.999362954246536 - }, - "jenkins-build-server": { - "id": "jenkins-build-server", - "title": "Jenkins Buildserver", - "description": "Jenkins build-server", - "usage": "devops", - "type": "process", - "technology": "build-pipeline", - "machine": "virtual", - "multi_tenant": true, - "owner": "Company ABC", - "confidentiality": "confidential", - "integrity": "mission-critical", - "availability": "important", - "justification_cia_rating": "The build pipeline might contain sensitive configuration values like backend credentials, certificates etc. and is therefore rated as confidential. The integrity and availability is rated as critical and important due to the risk of reputation damage and application update unavailability when the build pipeline is compromised.\n", - "tags": [ - "linux", - "jenkins" - ], - "data_assets_processed": [ - "build-job-config", - "client-application-code", - "server-application-code", - "marketing-material" - ], - "data_assets_stored": [ - "build-job-config", - "client-application-code", - "server-application-code", - "marketing-material" - ], - "data_formats_accepted": [ - "file", - "serialization" - ], - "communication_links": [ - { - "id": "jenkins-build-server\u003egit-repo-code-read-access", - "source_id": "jenkins-build-server", - "target_id": "git-repo", - "title": "Git Repo Code Read Access", - "description": "Link to the Git repository server", - "protocol": "ssh", - "readonly": true, - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "jenkins-build-server\u003eapplication-deployment", - "source_id": "jenkins-build-server", - "target_id": "apache-webserver", - "title": "Application Deployment", - "description": "Link to the Apache webserver", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "jenkins-build-server\u003ecms-updates", - "source_id": "jenkins-build-server", - "target_id": "marketing-cms", - "title": "CMS Updates", - "description": "Link to the CMS", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 60.099849550227866 - }, - "ldap-auth-server": { - "id": "ldap-auth-server", - "title": "LDAP Auth Server", - "description": "LDAP authentication server", - "type": "datastore", - "size": "component", - "technology": "identity-store-ldap", - "encryption": "transparent", - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "The auth data of the application\n", - "tags": [ - "linux" - ], - "data_assets_processed": [ - "customer-accounts" - ], - "data_assets_stored": [ - "customer-accounts" - ], - "raa": 51.34381338742393 - }, - "load-balancer": { - "id": "load-balancer", - "title": "Load Balancer", - "description": "Load Balancer (HA-Proxy)", - "type": "process", - "size": "component", - "technology": "load-balancer", - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "mission-critical", - "availability": "mission-critical", - "justification_cia_rating": "The correct configuration and reachability of the load balancer is mandatory for all customer and Company XYZ usages of the portal and ERP system.\n", - "data_assets_processed": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "internal-business-data", - "client-application-code", - "marketing-material" - ], - "communication_links": [ - { - "id": "load-balancer\u003eweb-application-traffic", - "source_id": "load-balancer", - "target_id": "apache-webserver", - "title": "Web Application Traffic", - "description": "Link to the web server", - "protocol": "http", - "authentication": "session-id", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "load-balancer\u003ecms-content-traffic", - "source_id": "load-balancer", - "target_id": "marketing-cms", - "title": "CMS Content Traffic", - "description": "Link to the CMS server", - "protocol": "http", - "readonly": true, - "data_assets_received": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 9.952491809545325 - }, - "marketing-cms": { - "id": "marketing-cms", - "title": "Marketing CMS", - "description": "CMS for the marketing content", - "type": "process", - "size": "application", - "technology": "cms", - "machine": "container", - "custom_developed_parts": true, - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "critical", - "availability": "critical", - "justification_cia_rating": "The correct configuration and reachability of the web server is mandatory for all customer usages of the portal.\n", - "tags": [ - "linux" - ], - "data_assets_processed": [ - "marketing-material", - "customer-accounts" - ], - "data_assets_stored": [ - "marketing-material" - ], - "communication_links": [ - { - "id": "marketing-cms\u003eauth-traffic", - "source_id": "marketing-cms", - "target_id": "ldap-auth-server", - "title": "Auth Traffic", - "description": "Link to the LDAP auth server", - "protocol": "ldap", - "readonly": true, - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "data_assets_received": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "raa": 22.55383688062901 - }, - "sql-database": { - "id": "sql-database", - "title": "Customer Contract Database", - "description": "The database behind the ERP system", - "type": "datastore", - "size": "component", - "technology": "database", - "machine": "virtual", - "encryption": "data-with-symmetric-shared-key", - "owner": "Company ABC", - "confidentiality": "strictly-confidential", - "integrity": "mission-critical", - "availability": "mission-critical", - "justification_cia_rating": "The ERP system's database contains business-relevant sensitive data for the leasing processes and eventually also for other Company XYZ internal processes.\n", - "tags": [ - "linux", - "mysql" - ], - "data_assets_processed": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data", - "db-dumps", - "erp-logs" - ], - "data_assets_stored": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "raa": 100 - } - }, - "trust_boundaries": { - "application-network": { - "id": "application-network", - "title": "Application Network", - "description": "Application Network", - "type": "network-cloud-provider", - "tags": [ - "aws" - ], - "technical_assets_inside": [ - "load-balancer" - ], - "trust_boundaries_nested": [ - "web-dmz", - "erp-dmz", - "auth-env" - ] - }, - "auth-env": { - "id": "auth-env", - "title": "Auth Handling Environment", - "description": "Auth Handling Environment", - "type": "execution-environment", - "technical_assets_inside": [ - "identity-provider", - "ldap-auth-server" - ] - }, - "dev-network": { - "id": "dev-network", - "title": "Dev Network", - "description": "Development Network", - "technical_assets_inside": [ - "jenkins-build-server", - "git-repo", - "backend-admin-client", - "backoffice-client" - ] - }, - "erp-dmz": { - "id": "erp-dmz", - "title": "ERP DMZ", - "description": "ERP DMZ", - "type": "network-cloud-security-group", - "tags": [ - "some-erp" - ], - "technical_assets_inside": [ - "erp-system", - "contract-file-server", - "sql-database" - ] - }, - "web-dmz": { - "id": "web-dmz", - "title": "Web DMZ", - "description": "Web DMZ", - "type": "network-cloud-security-group", - "technical_assets_inside": [ - "apache-webserver", - "marketing-cms" - ] - } - }, - "shared_runtimes": { - "webapp-virtualization": { - "id": "webapp-virtualization", - "title": "WebApp and Backoffice Virtualization", - "description": "WebApp Virtualization", - "tags": [ - "vmware" - ], - "technical_assets_running": [ - "apache-webserver", - "marketing-cms", - "erp-system", - "contract-file-server", - "sql-database" - ] - } - }, - "individual_risk_categories": { - "something-strange": { - "id": "something-strange", - "title": "Some Individual Risk Example", - "description": "Some text describing the risk category...", - "impact": "Some text describing the impact...", - "asvs": "V0 - Something Strange", - "cheat_sheet": "https://example.com", - "action": "Some text describing the action...", - "mitigation": "Some text describing the mitigation...", - "check": "Check if XYZ...", - "detection_logic": "Some text describing the detection logic...", - "risk_assessment": "Some text describing the risk assessment...", - "false_positives": "Some text describing the most common types of false positives...", - "stride": "repudiation", - "cwe": 693 - } - }, - "built_in_risk_categories": { - "accidental-secret-leak": { - "id": "accidental-secret-leak", - "title": "Accidental Secret Leak", - "description": "Sourcecode repositories (including their histories) as well as artifact registries can accidentally contain secrets like checked-in or packaged-in passwords, API tokens, certificates, crypto keys, etc.", - "impact": "If this risk is unmitigated, attackers which have access to affected sourcecode repositories or artifact registries might find secrets accidentally checked-in.", - "asvs": "V14 - Configuration Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Build Pipeline Hardening", - "mitigation": "Establish measures preventing accidental check-in or package-in of secrets into sourcecode repositories and artifact registries. This starts by using good .gitignore and .dockerignore files, but does not stop there. See for example tools like \u003ci\u003e\"git-secrets\" or \"Talisman\"\u003c/i\u003e to have check-in preventive measures for secrets. Consider also to regularly scan your repositories for secrets accidentally checked-in using scanning tools like \u003ci\u003e\"gitleaks\" or \"gitrob\"\u003c/i\u003e.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope sourcecode repositories and artifact registries.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Usually no false positives.", - "function": "operations", - "stride": "information-disclosure", - "cwe": 200 - }, - "code-backdooring": { - "id": "code-backdooring", - "title": "Code Backdooring", - "description": "For each build-pipeline component Code Backdooring risks might arise where attackers compromise the build-pipeline in order to let backdoored artifacts be shipped into production. Aside from direct code backdooring this includes backdooring of dependencies and even of more lower-level build infrastructure, like backdooring compilers (similar to what the XcodeGhost malware did) or dependencies.", - "impact": "If this risk remains unmitigated, attackers might be able to execute code on and completely takeover production environments.", - "asvs": "V10 - Malicious Code Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", - "action": "Build Pipeline Hardening", - "mitigation": "Reduce the attack surface of backdooring the build pipeline by not directly exposing the build pipeline components on the public internet and also not exposing it in front of unmanaged (out-of-scope) developer clients.Also consider the use of code signing to prevent code modifications.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope development relevant technical assets which are either accessed by out-of-scope unmanaged developer clients and/or are directly accessed by any kind of internet-located (non-VPN) component or are themselves directly located on the internet.", - "risk_assessment": "The risk rating depends on the confidentiality and integrity rating of the code being handled and deployed as well as the placement/calling of this technical asset on/from the internet.", - "false_positives": "When the build-pipeline and sourcecode-repo is not exposed to the internet and considered fully trusted (which implies that all accessing clients are also considered fully trusted in terms of their patch management and applied hardening, which must be equivalent to a managed developer client environment) this can be considered a false positive after individual review.", - "function": "operations", - "stride": "tampering", - "cwe": 912 - }, - "container-baseimage-backdooring": { - "id": "container-baseimage-backdooring", - "title": "Container Base Image Backdooring", - "description": "When a technical asset is built using container technologies, Base Image Backdooring risks might arise where base images and other layers used contain vulnerable components or backdoors.\u003cbr\u003e\u003cbr\u003eSee for example: \u003ca href=\"https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/\"\u003ehttps://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/\u003c/a\u003e", - "impact": "If this risk is unmitigated, attackers might be able to deeply persist in the target system by executing code in deployed containers.", - "asvs": "V10 - Malicious Code Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", - "action": "Container Infrastructure Hardening", - "mitigation": "Apply hardening of all container infrastructures (see for example the \u003ci\u003eCIS-Benchmarks for Docker and Kubernetes\u003c/i\u003e and the \u003ci\u003eDocker Bench for Security\u003c/i\u003e). Use only trusted base images of the original vendors, verify digital signatures and apply image creation best practices. Also consider using Google's \u003ci\u003eDistroless\u003c/i\u003e base images or otherwise very small base images. Regularly execute container image scans with tools checking the layers for vulnerable components.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS/CSVS applied?", - "detection_logic": "In-scope technical assets running as containers.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets.", - "false_positives": "Fully trusted (i.e. reviewed and cryptographically signed or similar) base images of containers can be considered as false positives after individual review.", - "function": "operations", - "stride": "tampering", - "cwe": 912 - }, - "container-platform-escape": { - "id": "container-platform-escape", - "title": "Container Platform Escape", - "description": "Container platforms are especially interesting targets for attackers as they host big parts of a containerized runtime infrastructure. When not configured and operated with security best practices in mind, attackers might exploit a vulnerability inside an container and escape towards the platform as highly privileged users. These scenarios might give attackers capabilities to attack every other container as owning the container platform (via container escape attacks) equals to owning every container.", - "impact": "If this risk is unmitigated, attackers which have successfully compromised a container (via other vulnerabilities) might be able to deeply persist in the target system by executing code in many deployed containers and the container platform itself.", - "asvs": "V14 - Configuration Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", - "action": "Container Infrastructure Hardening", - "mitigation": "Apply hardening of all container infrastructures. \u003cp\u003eSee for example the \u003ci\u003eCIS-Benchmarks for Docker and Kubernetes\u003c/i\u003e as well as the \u003ci\u003eDocker Bench for Security\u003c/i\u003e ( \u003ca href=\"https://github.com/docker/docker-bench-security\"\u003ehttps://github.com/docker/docker-bench-security\u003c/a\u003e ) or \u003ci\u003eInSpec Checks for Docker and Kubernetes\u003c/i\u003e ( \u003ca href=\"https://github.com/dev-sec/cis-kubernetes-benchmark\"\u003ehttps://github.com/dev-sec/cis-docker-benchmark\u003c/a\u003e and \u003ca href=\"https://github.com/dev-sec/cis-kubernetes-benchmark\"\u003ehttps://github.com/dev-sec/cis-kubernetes-benchmark\u003c/a\u003e ). Use only trusted base images, verify digital signatures and apply image creation best practices. Also consider using Google's \u003cb\u003eDistroless\u003c/i\u003e base images or otherwise very small base images. Apply namespace isolation and nod affinity to separate pods from each other in terms of access and nodes the same style as you separate data.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS or CSVS chapter applied?", - "detection_logic": "In-scope container platforms.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Container platforms not running parts of the target architecture can be considered as false positives after individual review.", - "function": "operations", - "stride": "elevation-of-privilege", - "cwe": 1008 - }, - "cross-site-request-forgery": { - "id": "cross-site-request-forgery", - "title": "Cross-Site Request Forgery (CSRF)", - "description": "When a web application is accessed via web protocols Cross-Site Request Forgery (CSRF) risks might arise.", - "impact": "If this risk remains unmitigated, attackers might be able to trick logged-in victim users into unwanted actions within the web application by visiting an attacker controlled web site.", - "asvs": "V4 - Access Control Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", - "action": "CSRF Prevention", - "mitigation": "Try to use anti-CSRF tokens ot the double-submit patterns (at least for logged-in requests). When your authentication scheme depends on cookies (like session or token cookies), consider marking them with the same-site flag. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope web applications accessed via typical web access protocols.", - "risk_assessment": "The risk rating depends on the integrity rating of the data sent across the communication link.", - "false_positives": "Web applications passing the authentication sate via custom headers instead of cookies can eventually be false positives. Also when the web application is not accessed via a browser-like component (i.e not by a human user initiating the request that gets passed through all components until it reaches the web application) this can be considered a false positive.", - "function": "development", - "cwe": 352 - }, - "cross-site-scripting": { - "id": "cross-site-scripting", - "title": "Cross-Site Scripting (XSS)", - "description": "For each web application Cross-Site Scripting (XSS) risks might arise. In terms of the overall risk level take other applications running on the same domain into account as well.", - "impact": "If this risk remains unmitigated, attackers might be able to access individual victim sessions and steal or modify user data.", - "asvs": "V5 - Validation, Sanitization and Encoding Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", - "action": "XSS Prevention", - "mitigation": "Try to encode all values sent back to the browser and also handle DOM-manipulations in a safe way to avoid DOM-based XSS. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope web applications.", - "risk_assessment": "The risk rating depends on the sensitivity of the data processed in the web application.", - "false_positives": "When the technical asset is not accessed via a browser-like component (i.e not by a human user initiating the request that gets passed through all components until it reaches the web application) this can be considered a false positive.", - "function": "development", - "stride": "tampering", - "cwe": 79 - }, - "dos-risky-access-across-trust-boundary": { - "id": "dos-risky-access-across-trust-boundary", - "title": "DoS-risky Access Across Trust-Boundary", - "description": "Assets accessed across trust boundaries with critical or mission-critical availability rating are more prone to Denial-of-Service (DoS) risks.", - "impact": "If this risk remains unmitigated, attackers might be able to disturb the availability of important parts of the system.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html", - "action": "Anti-DoS Measures", - "mitigation": "Apply anti-DoS techniques like throttling and/or per-client load blocking with quotas. Also for maintenance access routes consider applying a VPN instead of public reachable interfaces. Generally applying redundancy on the targeted technical asset reduces the risk of DoS.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets (excluding load-balancer) with availability rating of critical or higher which have incoming data-flows across a network trust-boundary (excluding devops usage).", - "risk_assessment": "Matching technical assets with availability rating of critical or higher are at low risk. When the availability rating is mission-critical and neither a VPN nor IP filter for the incoming data-flow nor redundancy for the asset is applied, the risk-rating is considered medium.", - "false_positives": "When the accessed target operations are not time- or resource-consuming.", - "function": "operations", - "stride": "denial-of-service", - "cwe": 400 - }, - "incomplete-model": { - "id": "incomplete-model", - "title": "Incomplete Model", - "description": "When the threat model contains unknown technologies or transfers data over unknown protocols, this is an indicator for an incomplete model.", - "impact": "If this risk is unmitigated, other risks might not be noticed as the model is incomplete.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", - "action": "Threat Modeling Completeness", - "mitigation": "Try to find out what technology or protocol is used instead of specifying that it is unknown.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "All technical assets and communication links with technology type or protocol type specified as unknown.", - "risk_assessment": "low", - "false_positives": "Usually no false positives as this looks like an incomplete model.", - "function": "architecture", - "stride": "information-disclosure", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "ldap-injection": { - "id": "ldap-injection", - "title": "LDAP-Injection", - "description": "When an LDAP server is accessed LDAP-Injection risks might arise. The risk rating depends on the sensitivity of the LDAP server itself and of the data assets processed.", - "impact": "If this risk remains unmitigated, attackers might be able to modify LDAP queries and access more data from the LDAP server than allowed.", - "asvs": "V5 - Validation, Sanitization and Encoding Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", - "action": "LDAP-Injection Prevention", - "mitigation": "Try to use libraries that properly encode LDAP meta characters in searches and queries to access the LDAP sever in order to stay safe from LDAP-Injection vulnerabilities. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope clients accessing LDAP servers via typical LDAP access protocols.", - "risk_assessment": "The risk rating depends on the sensitivity of the LDAP server itself and of the data assets processed.", - "false_positives": "LDAP server queries by search values not consisting of parts controllable by the caller can be considered as false positives after individual review.", - "function": "development", - "stride": "tampering", - "cwe": 90 - }, - "missing-authentication": { - "id": "missing-authentication", - "title": "Missing Authentication", - "description": "Technical assets (especially multi-tenant systems) should authenticate incoming requests when the asset processes sensitive data. ", - "impact": "If this risk is unmitigated, attackers might be able to access or modify sensitive data in an unauthenticated way.", - "asvs": "V2 - Authentication Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", - "action": "Authentication of Incoming Requests", - "mitigation": "Apply an authentication method to the technical asset. To protect highly sensitive data consider the use of two-factor authentication for human users.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets (except load-balancer, reverse-proxy, service-registry, waf, ids, and ips and in-process calls) should authenticate incoming requests when the asset processes sensitive data. This is especially the case for all multi-tenant assets (there even non-sensitive ones).", - "risk_assessment": "The risk rating (medium or high) depends on the sensitivity of the data sent across the communication link. Monitoring callers are exempted from this risk.", - "false_positives": "Technical assets which do not process requests regarding functionality or data linked to end-users (customers) can be considered as false positives after individual review.", - "function": "architecture", - "stride": "elevation-of-privilege", - "cwe": 306 - }, - "missing-authentication-second-factor": { - "id": "missing-authentication-second-factor", - "title": "Missing Two-Factor Authentication (2FA)", - "description": "Technical assets (especially multi-tenant systems) should authenticate incoming requests with two-factor (2FA) authentication when the asset processes or stores highly sensitive data (in terms of confidentiality, integrity, and availability) and is accessed by humans.", - "impact": "If this risk is unmitigated, attackers might be able to access or modify highly sensitive data without strong authentication.", - "asvs": "V2 - Authentication Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html", - "action": "Authentication with Second Factor (2FA)", - "mitigation": "Apply an authentication method to the technical asset protecting highly sensitive data via two-factor authentication for human users.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets (except load-balancer, reverse-proxy, waf, ids, and ips) should authenticate incoming requests via two-factor authentication (2FA) when the asset processes or stores highly sensitive data (in terms of confidentiality, integrity, and availability) and is accessed by a client used by a human user.", - "risk_assessment": "medium", - "false_positives": "Technical assets which do not process requests regarding functionality or data linked to end-users (customers) can be considered as false positives after individual review.", - "stride": "elevation-of-privilege", - "cwe": 308 - }, - "missing-build-infrastructure": { - "id": "missing-build-infrastructure", - "title": "Missing Build Infrastructure", - "description": "The modeled architecture does not contain a build infrastructure (devops-client, sourcecode-repo, build-pipeline, etc.), which might be the risk of a model missing critical assets (and thus not seeing their risks). If the architecture contains custom-developed parts, the pipeline where code gets developed and built needs to be part of the model.", - "impact": "If this risk is unmitigated, attackers might be able to exploit risks unseen in this threat model due to critical build infrastructure components missing in the model.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Build Pipeline Hardening", - "mitigation": "Include the build infrastructure in the model.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Models with in-scope custom-developed parts missing in-scope development (code creation) and build infrastructure components (devops-client, sourcecode-repo, build-pipeline, etc.).", - "risk_assessment": "The risk rating depends on the highest sensitivity of the in-scope assets running custom-developed parts.", - "false_positives": "Models not having any custom-developed parts can be considered as false positives after individual review.", - "function": "architecture", - "stride": "tampering", - "model_failure_possible_reason": true, - "cwe": 1127 - }, - "missing-cloud-hardening": { - "id": "missing-cloud-hardening", - "title": "Missing Cloud Hardening", - "description": "Cloud components should be hardened according to the cloud vendor best practices. This affects their configuration, auditing, and further areas.", - "impact": "If this risk is unmitigated, attackers might access cloud components in an unintended way.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Cloud Hardening", - "mitigation": "Apply hardening of all cloud components and services, taking special care to follow the individual risk descriptions (which depend on the cloud provider tags in the model). \u003cbr\u003e\u003cbr\u003eFor \u003cb\u003eAmazon Web Services (AWS)\u003c/b\u003e: Follow the \u003ci\u003eCIS Benchmark for Amazon Web Services\u003c/i\u003e (see also the automated checks of cloud audit tools like \u003ci\u003e\"PacBot\", \"CloudSploit\", \"CloudMapper\", \"ScoutSuite\", or \"Prowler AWS CIS Benchmark Tool\"\u003c/i\u003e). \u003cbr\u003eFor EC2 and other servers running Amazon Linux, follow the \u003ci\u003eCIS Benchmark for Amazon Linux\u003c/i\u003e and switch to IMDSv2. \u003cbr\u003eFor S3 buckets follow the \u003ci\u003eSecurity Best Practices for Amazon S3\u003c/i\u003e at \u003ca href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html\"\u003ehttps://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html\u003c/a\u003e to avoid accidental leakage. \u003cbr\u003eAlso take a look at some of these tools: \u003ca href=\"https://github.com/toniblyx/my-arsenal-of-aws-security-tools\"\u003ehttps://github.com/toniblyx/my-arsenal-of-aws-security-tools\u003c/a\u003e \u003cbr\u003e\u003cbr\u003eFor \u003cb\u003eMicrosoft Azure\u003c/b\u003e: Follow the \u003ci\u003eCIS Benchmark for Microsoft Azure\u003c/i\u003e (see also the automated checks of cloud audit tools like \u003ci\u003e\"CloudSploit\" or \"ScoutSuite\"\u003c/i\u003e).\u003cbr\u003e\u003cbr\u003eFor \u003cb\u003eGoogle Cloud Platform\u003c/b\u003e: Follow the \u003ci\u003eCIS Benchmark for Google Cloud Computing Platform\u003c/i\u003e (see also the automated checks of cloud audit tools like \u003ci\u003e\"CloudSploit\" or \"ScoutSuite\"\u003c/i\u003e). \u003cbr\u003e\u003cbr\u003eFor \u003cb\u003eOracle Cloud Platform\u003c/b\u003e: Follow the hardening best practices (see also the automated checks of cloud audit tools like \u003ci\u003e\"CloudSploit\"\u003c/i\u003e).", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope cloud components (either residing in cloud trust boundaries or more specifically tagged with cloud provider types).", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Cloud components not running parts of the target architecture can be considered as false positives after individual review.", - "function": "operations", - "stride": "tampering", - "cwe": 1008 - }, - "missing-file-validation": { - "id": "missing-file-validation", - "title": "Missing File Validation", - "description": "When a technical asset accepts files, these input files should be strictly validated about filename and type.", - "impact": "If this risk is unmitigated, attackers might be able to provide malicious files to the application.", - "asvs": "V12 - File and Resources Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", - "action": "File Validation", - "mitigation": "Filter by file extension and discard (if feasible) the name provided. Whitelist the accepted file types and determine the mime-type on the server-side (for example via \"Apache Tika\" or similar checks). If the file is retrievable by end users and/or backoffice employees, consider performing scans for popular malware (if the files can be retrieved much later than they were uploaded, also apply a fresh malware scan during retrieval to scan with newer signatures of popular malware). Also enforce limits on maximum file size to avoid denial-of-service like scenarios.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets with custom-developed code accepting file data formats.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Fully trusted (i.e. cryptographically signed or similar) files can be considered as false positives after individual review.", - "function": "development", - "cwe": 434 - }, - "missing-hardening": { - "id": "missing-hardening", - "title": "Missing Hardening", - "description": "Technical assets with a Relative Attacker Attractiveness (RAA) value of 55 % or higher should be explicitly hardened taking best practices and vendor hardening guides into account.", - "impact": "If this risk remains unmitigated, attackers might be able to easier attack high-value targets.", - "asvs": "V14 - Configuration Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "System Hardening", - "mitigation": "Try to apply all hardening best practices (like CIS benchmarks, OWASP recommendations, vendor recommendations, DevSec Hardening Framework, DBSAT for Oracle databases, and others).", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets with RAA values of 55 % or higher. Generally for high-value targets like data stores, application servers, identity providers and ERP systems this limit is reduced to 40 %", - "risk_assessment": "The risk rating depends on the sensitivity of the data processed in the technical asset.", - "false_positives": "Usually no false positives.", - "function": "operations", - "stride": "tampering", - "cwe": 16 - }, - "missing-identity-propagation": { - "id": "missing-identity-propagation", - "title": "Missing Identity Propagation", - "description": "Technical assets (especially multi-tenant systems), which usually process data for end users should authorize every request based on the identity of the end user when the data flow is authenticated (i.e. non-public). For DevOps usages at least a technical-user authorization is required.", - "impact": "If this risk is unmitigated, attackers might be able to access or modify foreign data after a successful compromise of a component within the system due to missing resource-based authorization checks.", - "asvs": "V4 - Access Control Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", - "action": "Identity Propagation and Resource-based Authorization", - "mitigation": "When processing requests for end users if possible authorize in the backend against the propagated identity of the end user. This can be achieved in passing JWTs or similar tokens and checking them in the backend services. For DevOps usages apply at least a technical-user authorization.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope service-like technical assets which usually process data based on end user requests, if authenticated (i.e. non-public), should authorize incoming requests based on the propagated end user identity when their rating is sensitive. This is especially the case for all multi-tenant assets (there even less-sensitive rated ones). DevOps usages are exempted from this risk.", - "risk_assessment": "The risk rating (medium or high) depends on the confidentiality, integrity, and availability rating of the technical asset.", - "false_positives": "Technical assets which do not process requests regarding functionality or data linked to end-users (customers) can be considered as false positives after individual review.", - "function": "architecture", - "stride": "elevation-of-privilege", - "cwe": 284 - }, - "missing-identity-provider-isolation": { - "id": "missing-identity-provider-isolation", - "title": "Missing Identity Provider Isolation", - "description": "Highly sensitive identity provider assets and their identity data stores should be isolated from other assets by their own network segmentation trust-boundary (execution-environment boundaries do not count as network isolation).", - "impact": "If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards highly sensitive identity provider assets and their identity data stores, as they are not separated by network segmentation.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Network Segmentation", - "mitigation": "Apply a network segmentation trust-boundary around the highly sensitive identity provider assets and their identity data stores.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope identity provider assets and their identity data stores when surrounded by other (not identity-related) assets (without a network trust-boundary in-between). This risk is especially prevalent when other non-identity related assets are within the same execution environment (i.e. same database or same application server).", - "risk_assessment": "Default is high impact. The impact is increased to very-high when the asset missing the trust-boundary protection is rated as strictly-confidential or mission-critical.", - "false_positives": "When all assets within the network segmentation trust-boundary are hardened and protected to the same extend as if all were identity providers with data of highest sensitivity.", - "function": "operations", - "stride": "elevation-of-privilege", - "cwe": 1008 - }, - "missing-identity-store": { - "id": "missing-identity-store", - "title": "Missing Identity Store", - "description": "The modeled architecture does not contain an identity store, which might be the risk of a model missing critical assets (and thus not seeing their risks).", - "impact": "If this risk is unmitigated, attackers might be able to exploit risks unseen in this threat model in the identity provider/store that is currently missing in the model.", - "asvs": "V2 - Authentication Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", - "action": "Identity Store", - "mitigation": "Include an identity store in the model if the application has a login.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Models with authenticated data-flows authorized via end user identity missing an in-scope identity store.", - "risk_assessment": "The risk rating depends on the sensitivity of the end user-identity authorized technical assets and their data assets processed.", - "false_positives": "Models only offering data/services without any real authentication need can be considered as false positives after individual review.", - "function": "architecture", - "model_failure_possible_reason": true, - "cwe": 287 - }, - "missing-network-segmentation": { - "id": "missing-network-segmentation", - "title": "Missing Network Segmentation", - "description": "Highly sensitive assets and/or data stores residing in the same network segment than other lower sensitive assets (like webservers or content management systems etc.) should be better protected by a network segmentation trust-boundary.", - "impact": "If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards more valuable targets, as they are not separated by network segmentation.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Network Segmentation", - "mitigation": "Apply a network segmentation trust-boundary around the highly sensitive assets and/or data stores.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets with high sensitivity and RAA values as well as data stores when surrounded by assets (without a network trust-boundary in-between) which are of type client-system, web-server, web-application, cms, web-service-rest, web-service-soap, build-pipeline, sourcecode-repository, monitoring, or similar and there is no direct connection between these (hence no requirement to be so close to each other).", - "risk_assessment": "Default is low risk. The risk is increased to medium when the asset missing the trust-boundary protection is rated as strictly-confidential or mission-critical.", - "false_positives": "When all assets within the network segmentation trust-boundary are hardened and protected to the same extend as if all were containing/processing highly sensitive data.", - "function": "operations", - "stride": "elevation-of-privilege", - "cwe": 1008 - }, - "missing-vault": { - "id": "missing-vault", - "title": "Missing Vault (Secret Storage)", - "description": "In order to avoid the risk of secret leakage via config files (when attacked through vulnerabilities being able to read files like Path-Traversal and others), it is best practice to use a separate hardened process with proper authentication, authorization, and audit logging to access config secrets (like credentials, private keys, client certificates, etc.). This component is usually some kind of Vault.", - "impact": "If this risk is unmitigated, attackers might be able to easier steal config secrets (like credentials, private keys, client certificates, etc.) once a vulnerability to access files is present and exploited.", - "asvs": "V6 - Stored Cryptography Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", - "action": "Vault (Secret Storage)", - "mitigation": "Consider using a Vault (Secret Storage) to securely store and access config secrets (like credentials, private keys, client certificates, etc.).", - "check": "Is a Vault (Secret Storage) in place?", - "detection_logic": "Models without a Vault (Secret Storage).", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Models where no technical assets have any kind of sensitive config data to protect can be considered as false positives after individual review.", - "function": "architecture", - "stride": "information-disclosure", - "model_failure_possible_reason": true, - "cwe": 522 - }, - "missing-vault-isolation": { - "id": "missing-vault-isolation", - "title": "Missing Vault Isolation", - "description": "Highly sensitive vault assets and their data stores should be isolated from other assets by their own network segmentation trust-boundary (execution-environment boundaries do not count as network isolation).", - "impact": "If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards highly sensitive vault assets and their data stores, as they are not separated by network segmentation.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Network Segmentation", - "mitigation": "Apply a network segmentation trust-boundary around the highly sensitive vault assets and their data stores.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope vault assets when surrounded by other (not vault-related) assets (without a network trust-boundary in-between). This risk is especially prevalent when other non-vault related assets are within the same execution environment (i.e. same database or same application server).", - "risk_assessment": "Default is medium impact. The impact is increased to high when the asset missing the trust-boundary protection is rated as strictly-confidential or mission-critical.", - "false_positives": "When all assets within the network segmentation trust-boundary are hardened and protected to the same extend as if all were vaults with data of highest sensitivity.", - "function": "operations", - "stride": "elevation-of-privilege", - "cwe": 1008 - }, - "missing-waf": { - "id": "missing-waf", - "title": "Missing Web Application Firewall (WAF)", - "description": "To have a first line of filtering defense, security architectures with web-services or web-applications should include a WAF in front of them. Even though a WAF is not a replacement for security (all components must be secure even without a WAF) it adds another layer of defense to the overall system by delaying some attacks and having easier attack alerting through it.", - "impact": "If this risk is unmitigated, attackers might be able to apply standard attack pattern tests at great speed without any filtering.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Virtual_Patching_Cheat_Sheet.html", - "action": "Web Application Firewall (WAF)", - "mitigation": "Consider placing a Web Application Firewall (WAF) in front of the web-services and/or web-applications. For cloud environments many cloud providers offer pre-configured WAFs. Even reverse proxies can be enhances by a WAF component via ModSecurity plugins.", - "check": "Is a Web Application Firewall (WAF) in place?", - "detection_logic": "In-scope web-services and/or web-applications accessed across a network trust boundary not having a Web Application Firewall (WAF) in front of them.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Targets only accessible via WAFs or reverse proxies containing a WAF component (like ModSecurity) can be considered as false positives after individual review.", - "function": "operations", - "stride": "tampering", - "cwe": 1008 - }, - "mixed-targets-on-shared-runtime": { - "id": "mixed-targets-on-shared-runtime", - "title": "Mixed Targets on Shared Runtime", - "description": "Different attacker targets (like frontend and backend/datastore components) should not be running on the same shared (underlying) runtime.", - "impact": "If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards more valuable targets, as they are running on the same shared runtime.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Runtime Separation", - "mitigation": "Use separate runtime environments for running different target components or apply similar separation styles to prevent load- or breach-related problems originating from one more attacker-facing asset impacts also the other more critical rated backend/datastore assets.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Shared runtime running technical assets of different trust-boundaries is at risk. Also mixing backend/datastore with frontend components on the same shared runtime is considered a risk.", - "risk_assessment": "The risk rating (low or medium) depends on the confidentiality, integrity, and availability rating of the technical asset running on the shared runtime.", - "false_positives": "When all assets running on the shared runtime are hardened and protected to the same extend as if all were containing/processing highly sensitive data.", - "function": "operations", - "stride": "elevation-of-privilege", - "cwe": 1008 - }, - "path-traversal": { - "id": "path-traversal", - "title": "Path-Traversal", - "description": "When a filesystem is accessed Path-Traversal or Local-File-Inclusion (LFI) risks might arise. The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "impact": "If this risk is unmitigated, attackers might be able to read sensitive files (configuration data, key/credential files, deployment files, business data files, etc.) from the filesystem of affected components.", - "asvs": "V12 - File and Resources Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", - "action": "Path-Traversal Prevention", - "mitigation": "Before accessing the file cross-check that it resides in the expected folder and is of the expected type and filename/suffix. Try to use a mapping if possible instead of directly accessing by a filename which is (partly or fully) provided by the caller. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Filesystems accessed by in-scope callers.", - "risk_assessment": "The risk rating depends on the sensitivity of the data stored inside the technical asset.", - "false_positives": "File accesses by filenames not consisting of parts controllable by the caller can be considered as false positives after individual review.", - "function": "development", - "stride": "information-disclosure", - "cwe": 22 - }, - "push-instead-of-pull-deployment": { - "id": "push-instead-of-pull-deployment", - "title": "Push instead of Pull Deployment", - "description": "When comparing push-based vs. pull-based deployments from a security perspective, pull-based deployments improve the overall security of the deployment targets. Every exposed interface of a production system to accept a deployment increases the attack surface of the production system, thus a pull-based approach exposes less attack surface relevant interfaces.", - "impact": "If this risk is unmitigated, attackers might have more potential target vectors for attacks, as the overall attack surface is unnecessarily increased.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Build Pipeline Hardening", - "mitigation": "Try to prefer pull-based deployments (like GitOps scenarios offer) over push-based deployments to reduce the attack surface of the production system.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Models with build pipeline components accessing in-scope targets of deployment (in a non-readonly way) which are not build-related components themselves.", - "risk_assessment": "The risk rating depends on the highest sensitivity of the deployment targets running custom-developed parts.", - "false_positives": "Communication links that are not deployment paths can be considered as false positives after individual review.", - "function": "architecture", - "stride": "tampering", - "model_failure_possible_reason": true, - "cwe": 1127 - }, - "search-query-injection": { - "id": "search-query-injection", - "title": "Search-Query Injection", - "description": "When a search engine server is accessed Search-Query Injection risks might arise.\u003cbr\u003e\u003cbr\u003eSee for example \u003ca href=\"https://github.com/veracode-research/solr-injection\"\u003ehttps://github.com/veracode-research/solr-injection\u003c/a\u003e and \u003ca href=\"https://github.com/veracode-research/solr-injection/blob/master/slides/DEFCON-27-Michael-Stepankin-Apache-Solr-Injection.pdf\"\u003ehttps://github.com/veracode-research/solr-injection/blob/master/slides/DEFCON-27-Michael-Stepankin-Apache-Solr-Injection.pdf\u003c/a\u003e for more details (here related to Solr, but in general showcasing the topic of search query injections).", - "impact": "If this risk remains unmitigated, attackers might be able to read more data from the search index and eventually further escalate towards a deeper system penetration via code executions.", - "asvs": "V5 - Validation, Sanitization and Encoding Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", - "action": "Search-Query Injection Prevention", - "mitigation": "Try to use libraries that properly encode search query meta characters in searches and don't expose the query unfiltered to the caller. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope clients accessing search engine servers via typical search access protocols.", - "risk_assessment": "The risk rating depends on the sensitivity of the search engine server itself and of the data assets processed.", - "false_positives": "Server engine queries by search values not consisting of parts controllable by the caller can be considered as false positives after individual review.", - "function": "development", - "stride": "tampering", - "cwe": 74 - }, - "server-side-request-forgery": { - "id": "server-side-request-forgery", - "title": "Server-Side Request Forgery (SSRF)", - "description": "When a server system (i.e. not a client) is accessing other server systems via typical web protocols Server-Side Request Forgery (SSRF) or Local-File-Inclusion (LFI) or Remote-File-Inclusion (RFI) risks might arise. ", - "impact": "If this risk is unmitigated, attackers might be able to access sensitive services or files of network-reachable components by modifying outgoing calls of affected components.", - "asvs": "V12 - File and Resources Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", - "action": "SSRF Prevention", - "mitigation": "Try to avoid constructing the outgoing target URL with caller controllable values. Alternatively use a mapping (whitelist) when accessing outgoing URLs instead of creating them including caller controllable values. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope non-client systems accessing (using outgoing communication links) targets with either HTTP or HTTPS protocol.", - "risk_assessment": "The risk rating (low or medium) depends on the sensitivity of the data assets receivable via web protocols from targets within the same network trust-boundary as well on the sensitivity of the data assets receivable via web protocols from the target asset itself. Also for cloud-based environments the exploitation impact is at least medium, as cloud backend services can be attacked via SSRF.", - "false_positives": "Servers not sending outgoing web requests can be considered as false positives after review.", - "function": "development", - "stride": "information-disclosure", - "cwe": 918 - }, - "service-registry-poisoning": { - "id": "service-registry-poisoning", - "title": "Service Registry Poisoning", - "description": "When a service registry used for discovery of trusted service endpoints Service Registry Poisoning risks might arise.", - "impact": "If this risk remains unmitigated, attackers might be able to poison the service registry with malicious service endpoints or malicious lookup and config data leading to breach of sensitive data.", - "asvs": "V10 - Malicious Code Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", - "action": "Service Registry Integrity Check", - "mitigation": "Try to strengthen the access control of the service registry and apply cross-checks to detect maliciously poisoned lookup data.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope service registries.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical assets accessing the service registry as well as the data assets processed.", - "false_positives": "Service registries not used for service discovery can be considered as false positives after individual review.", - "function": "architecture", - "cwe": 693 - }, - "sql-nosql-injection": { - "id": "sql-nosql-injection", - "title": "SQL/NoSQL-Injection", - "description": "When a database is accessed via database access protocols SQL/NoSQL-Injection risks might arise. The risk rating depends on the sensitivity technical asset itself and of the data assets processed.", - "impact": "If this risk is unmitigated, attackers might be able to modify SQL/NoSQL queries to steal and modify data and eventually further escalate towards a deeper system penetration via code executions.", - "asvs": "V5 - Validation, Sanitization and Encoding Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", - "action": "SQL/NoSQL-Injection Prevention", - "mitigation": "Try to use parameter binding to be safe from injection vulnerabilities. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Database accessed via typical database access protocols by in-scope clients.", - "risk_assessment": "The risk rating depends on the sensitivity of the data stored inside the database.", - "false_positives": "Database accesses by queries not consisting of parts controllable by the caller can be considered as false positives after individual review.", - "function": "development", - "stride": "tampering", - "cwe": 89 - }, - "unchecked-deployment": { - "id": "unchecked-deployment", - "title": "Unchecked Deployment", - "description": "For each build-pipeline component Unchecked Deployment risks might arise when the build-pipeline does not include established DevSecOps best-practices. DevSecOps best-practices scan as part of CI/CD pipelines for vulnerabilities in source- or byte-code, dependencies, container layers, and dynamically against running test systems. There are several open-source and commercial tools existing in the categories DAST, SAST, and IAST.", - "impact": "If this risk remains unmitigated, vulnerabilities in custom-developed software or their dependencies might not be identified during continuous deployment cycles.", - "asvs": "V14 - Configuration Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", - "action": "Build Pipeline Hardening", - "mitigation": "Apply DevSecOps best-practices and use scanning tools to identify vulnerabilities in source- or byte-code,dependencies, container layers, and optionally also via dynamic scans against running test systems.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "All development-relevant technical assets.", - "risk_assessment": "The risk rating depends on the highest rating of the technical assets and data assets processed by deployment-receiving targets.", - "false_positives": "When the build-pipeline does not build any software components it can be considered a false positive after individual review.", - "function": "architecture", - "stride": "tampering", - "cwe": 1127 - }, - "unencrypted-asset": { - "id": "unencrypted-asset", - "title": "Unencrypted Technical Assets", - "description": "Due to the confidentiality rating of the technical asset itself and/or the processed data assets this technical asset must be encrypted. The risk rating depends on the sensitivity technical asset itself and of the data assets stored.", - "impact": "If this risk is unmitigated, attackers might be able to access unencrypted data when successfully compromising sensitive components.", - "asvs": "V6 - Stored Cryptography Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", - "action": "Encryption of Technical Asset", - "mitigation": "Apply encryption to the technical asset.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope unencrypted technical assets (excluding reverse-proxy, load-balancer, waf, ids, ips and embedded components like library) storing data assets rated at least as confidential or critical. For technical assets storing data assets rated as strictly-confidential or mission-critical the encryption must be of type data-with-end-user-individual-key.", - "risk_assessment": "Depending on the confidentiality rating of the stored data-assets either medium or high risk.", - "false_positives": "When all sensitive data stored within the asset is already fully encrypted on document or data level.", - "function": "operations", - "stride": "information-disclosure", - "cwe": 311 - }, - "unencrypted-communication": { - "id": "unencrypted-communication", - "title": "Unencrypted Communication", - "description": "Due to the confidentiality and/or integrity rating of the data assets transferred over the communication link this connection must be encrypted.", - "impact": "If this risk is unmitigated, network attackers might be able to to eavesdrop on unencrypted sensitive data sent between components.", - "asvs": "V9 - Communication Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", - "action": "Encryption of Communication Links", - "mitigation": "Apply transport layer encryption to the communication link.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Unencrypted technical communication links of in-scope technical assets (excluding monitoring traffic as well as local-file-access and in-process-library-call) transferring sensitive data.", - "risk_assessment": "Depending on the confidentiality rating of the transferred data-assets either medium or high risk.", - "false_positives": "When all sensitive data sent over the communication link is already fully encrypted on document or data level. Also intra-container/pod communication can be considered false positive when container orchestration platform handles encryption.", - "function": "operations", - "stride": "information-disclosure", - "cwe": 319 - }, - "unguarded-access-from-internet": { - "id": "unguarded-access-from-internet", - "title": "Unguarded Access From Internet", - "description": "Internet-exposed assets must be guarded by a protecting service, application, or reverse-proxy.", - "impact": "If this risk is unmitigated, attackers might be able to directly attack sensitive systems without any hardening components in-between due to them being directly exposed on the internet.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Encapsulation of Technical Asset", - "mitigation": "Encapsulate the asset behind a guarding service, application, or reverse-proxy. For admin maintenance a bastion-host should be used as a jump-server. For file transfer a store-and-forward-host should be used as an indirect file exchange platform.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets (excluding load-balancer) with confidentiality rating of confidential (or higher) or with integrity rating of critical (or higher) when accessed directly from the internet. All web-server, web-application, reverse-proxy, waf, and gateway assets are exempted from this risk when they do not consist of custom developed code and the data-flow only consists of HTTP or FTP protocols. Access from monitoring systems as well as VPN-protected connections are exempted.", - "risk_assessment": "The matching technical assets are at low risk. When either the confidentiality rating is strictly-confidential or the integrity rating is mission-critical, the risk-rating is considered medium. For assets with RAA values higher than 40 % the risk-rating increases.", - "false_positives": "When other means of filtering client requests are applied equivalent of reverse-proxy, waf, or gateway components.", - "function": "architecture", - "stride": "elevation-of-privilege", - "cwe": 501 - }, - "unguarded-direct-datastore-access": { - "id": "unguarded-direct-datastore-access", - "title": "Unguarded Direct Datastore Access", - "description": "Data stores accessed across trust boundaries must be guarded by some protecting service or application.", - "impact": "If this risk is unmitigated, attackers might be able to directly attack sensitive data stores without any protecting components in-between.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Encapsulation of Datastore", - "mitigation": "Encapsulate the datastore access behind a guarding service or application.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets of type datastore (except identity-store-ldap when accessed from identity-provider and file-server when accessed via file transfer protocols) with confidentiality rating of confidential (or higher) or with integrity rating of critical (or higher) which have incoming data-flows from assets outside across a network trust-boundary. DevOps config and deployment access is excluded from this risk.", - "risk_assessment": "The matching technical assets are at low risk. When either the confidentiality rating is strictly-confidential or the integrity rating is mission-critical, the risk-rating is considered medium. For assets with RAA values higher than 40 % the risk-rating increases.", - "false_positives": "When the caller is considered fully trusted as if it was part of the datastore itself.", - "function": "architecture", - "stride": "elevation-of-privilege", - "cwe": 501 - }, - "unnecessary-communication-link": { - "id": "unnecessary-communication-link", - "title": "Unnecessary Communication Link", - "description": "When a technical communication link does not send or receive any data assets, this is an indicator for an unnecessary communication link (or for an incomplete model).", - "impact": "If this risk is unmitigated, attackers might be able to target unnecessary communication links.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Attack Surface Reduction", - "mitigation": "Try to avoid using technical communication links that do not send or receive anything.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets' technical communication links not sending or receiving any data assets.", - "risk_assessment": "low", - "false_positives": "Usually no false positives as this looks like an incomplete model.", - "function": "architecture", - "stride": "elevation-of-privilege", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "unnecessary-data-asset": { - "id": "unnecessary-data-asset", - "title": "Unnecessary Data Asset", - "description": "When a data asset is not processed by any data assets and also not transferred by any communication links, this is an indicator for an unnecessary data asset (or for an incomplete model).", - "impact": "If this risk is unmitigated, attackers might be able to access unnecessary data assets using other vulnerabilities.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Attack Surface Reduction", - "mitigation": "Try to avoid having data assets that are not required/used.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Modelled data assets not processed by any data assets and also not transferred by any communication links.", - "risk_assessment": "low", - "false_positives": "Usually no false positives as this looks like an incomplete model.", - "function": "architecture", - "stride": "elevation-of-privilege", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "unnecessary-data-transfer": { - "id": "unnecessary-data-transfer", - "title": "Unnecessary Data Transfer", - "description": "When a technical asset sends or receives data assets, which it neither processes or stores this is an indicator for unnecessarily transferred data (or for an incomplete model). When the unnecessarily transferred data assets are sensitive, this poses an unnecessary risk of an increased attack surface.", - "impact": "If this risk is unmitigated, attackers might be able to target unnecessarily transferred data.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Attack Surface Reduction", - "mitigation": "Try to avoid sending or receiving sensitive data assets which are not required (i.e. neither processed) by the involved technical asset.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets sending or receiving sensitive data assets which are neither processed nor stored by the technical asset are flagged with this risk. The risk rating (low or medium) depends on the confidentiality, integrity, and availability rating of the technical asset. Monitoring data is exempted from this risk.", - "risk_assessment": "The risk assessment is depending on the confidentiality and integrity rating of the transferred data asset either low or medium.", - "false_positives": "Technical assets missing the model entries of either processing or storing the mentioned data assets can be considered as false positives (incomplete models) after individual review. These should then be addressed by completing the model so that all necessary data assets are processed by the technical asset involved.", - "function": "architecture", - "stride": "elevation-of-privilege", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "unnecessary-technical-asset": { - "id": "unnecessary-technical-asset", - "title": "Unnecessary Technical Asset", - "description": "When a technical asset does not process any data assets, this is an indicator for an unnecessary technical asset (or for an incomplete model). This is also the case if the asset has no communication links (either outgoing or incoming).", - "impact": "If this risk is unmitigated, attackers might be able to target unnecessary technical assets.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", - "action": "Attack Surface Reduction", - "mitigation": "Try to avoid using technical assets that do not process or store anything.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Technical assets not processing or storing any data assets.", - "risk_assessment": "low", - "false_positives": "Usually no false positives as this looks like an incomplete model.", - "function": "architecture", - "stride": "elevation-of-privilege", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "untrusted-deserialization": { - "id": "untrusted-deserialization", - "title": "Untrusted Deserialization", - "description": "When a technical asset accepts data in a specific serialized form (like Java or .NET serialization), Untrusted Deserialization risks might arise.\u003cbr\u003e\u003cbr\u003eSee \u003ca href=\"https://christian-schneider.net/JavaDeserializationSecurityFAQ.html\"\u003ehttps://christian-schneider.net/JavaDeserializationSecurityFAQ.html\u003c/a\u003e for more details.", - "impact": "If this risk is unmitigated, attackers might be able to execute code on target systems by exploiting untrusted deserialization endpoints.", - "asvs": "V5 - Validation, Sanitization and Encoding Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", - "action": "Prevention of Deserialization of Untrusted Data", - "mitigation": "Try to avoid the deserialization of untrusted data (even of data within the same trust-boundary as long as it is sent across a remote connection) in order to stay safe from Untrusted Deserialization vulnerabilities. Alternatively a strict whitelisting approach of the classes/types/values to deserialize might help as well. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets accepting serialization data formats (including EJB and RMI protocols).", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.", - "false_positives": "Fully trusted (i.e. cryptographically signed or similar) data deserialized can be considered as false positives after individual review.", - "function": "architecture", - "stride": "tampering", - "cwe": 502 - }, - "wrong-communication-link-content": { - "id": "wrong-communication-link-content", - "title": "Wrong Communication Link Content", - "description": "When a communication link is defined as readonly, but does not receive any data asset, or when it is defined as not readonly, but does not send any data asset, it is likely to be a model failure.", - "impact": "If this potential model error is not fixed, some risks might not be visible.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", - "action": "Model Consistency", - "mitigation": "Try to model the correct readonly flag and/or data sent/received of communication links. Also try to use communication link types matching the target technology/machine types.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Communication links with inconsistent data assets being sent/received not matching their readonly flag or otherwise inconsistent protocols not matching the target technology type.", - "risk_assessment": "low", - "false_positives": "Usually no false positives as this looks like an incomplete model.", - "function": "architecture", - "stride": "information-disclosure", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "wrong-trust-boundary-content": { - "id": "wrong-trust-boundary-content", - "title": "Wrong Trust Boundary Content", - "description": "When a trust boundary of type network-policy-namespace-isolation contains non-container assets it is likely to be a model failure.", - "impact": "If this potential model error is not fixed, some risks might not be visible.", - "asvs": "V1 - Architecture, Design and Threat Modeling Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", - "action": "Model Consistency", - "mitigation": "Try to model the correct types of trust boundaries and data assets.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "Trust boundaries which should only contain containers, but have different assets inside.", - "risk_assessment": "low", - "false_positives": "Usually no false positives as this looks like an incomplete model.", - "function": "architecture", - "stride": "elevation-of-privilege", - "model_failure_possible_reason": true, - "cwe": 1008 - }, - "xml-external-entity": { - "id": "xml-external-entity", - "title": "XML External Entity (XXE)", - "description": "When a technical asset accepts data in XML format, XML External Entity (XXE) risks might arise.", - "impact": "If this risk is unmitigated, attackers might be able to read sensitive files (configuration data, key/credential files, deployment files, business data files, etc.) form the filesystem of affected components and/or access sensitive services or files of other components.", - "asvs": "V14 - Configuration Verification Requirements", - "cheat_sheet": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", - "action": "XML Parser Hardening", - "mitigation": "Apply hardening of all XML parser instances in order to stay safe from XML External Entity (XXE) vulnerabilities. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.", - "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?", - "detection_logic": "In-scope technical assets accepting XML data formats.", - "risk_assessment": "The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. Also for cloud-based environments the exploitation impact is at least medium, as cloud backend services can be attacked via SSRF (and XXE vulnerabilities are often also SSRF vulnerabilities).", - "false_positives": "Fully trusted (i.e. cryptographically signed or similar) XML data can be considered as false positives after individual review.", - "function": "development", - "stride": "information-disclosure", - "cwe": 611 - } - }, - "risk_tracking": { - "dos-risky-access-across-trust-boundary@*@*@*": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@*@*@*", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client\u003ecustomer-traffic": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client\u003ecustomer-traffic", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver\u003eerp-system-traffic": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver\u003eerp-system-traffic", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client\u003eerp-internal-access": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client\u003eerp-internal-access", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver\u003eauth-credential-check-traffic": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver\u003eauth-credential-check-traffic", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms\u003eauth-traffic": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms\u003eauth-traffic", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client\u003emarketing-cms-editing": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client\u003emarketing-cms-editing", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client\u003ecustomer-traffic": { - "synthetic_risk_id": "dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client\u003ecustomer-traffic", - "justification": "The hardening measures are being implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "in-progress", - "date": "2020-01-04" - }, - "ldap-injection@*@ldap-auth-server@*": { - "synthetic_risk_id": "ldap-injection@*@ldap-auth-server@*", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-5678", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-05" - }, - "ldap-injection@identity-provider@ldap-auth-server@identity-provider\u003eldap-credential-check-traffic": { - "synthetic_risk_id": "ldap-injection@identity-provider@ldap-auth-server@identity-provider\u003eldap-credential-check-traffic", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-5678", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-05" - }, - "ldap-injection@marketing-cms@ldap-auth-server@marketing-cms\u003eauth-traffic": { - "synthetic_risk_id": "ldap-injection@marketing-cms@ldap-auth-server@marketing-cms\u003eauth-traffic", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-5678", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-05" - }, - "missing-authentication-second-factor@*@*@*": { - "synthetic_risk_id": "missing-authentication-second-factor@*@*@*", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@*": { - "synthetic_risk_id": "missing-hardening@*", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@apache-webserver": { - "synthetic_risk_id": "missing-hardening@apache-webserver", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@erp-system": { - "synthetic_risk_id": "missing-hardening@erp-system", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@identity-provider": { - "synthetic_risk_id": "missing-hardening@identity-provider", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@jenkins-build-server": { - "synthetic_risk_id": "missing-hardening@jenkins-build-server", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@ldap-auth-server": { - "synthetic_risk_id": "missing-hardening@ldap-auth-server", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "missing-hardening@sql-database": { - "synthetic_risk_id": "missing-hardening@sql-database", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@*": { - "synthetic_risk_id": "unencrypted-asset@*", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@apache-webserver": { - "synthetic_risk_id": "unencrypted-asset@apache-webserver", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@contract-file-server": { - "synthetic_risk_id": "unencrypted-asset@contract-file-server", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@erp-system": { - "synthetic_risk_id": "unencrypted-asset@erp-system", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@git-repo": { - "synthetic_risk_id": "unencrypted-asset@git-repo", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@identity-provider": { - "synthetic_risk_id": "unencrypted-asset@identity-provider", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@jenkins-build-server": { - "synthetic_risk_id": "unencrypted-asset@jenkins-build-server", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@marketing-cms": { - "synthetic_risk_id": "unencrypted-asset@marketing-cms", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "unencrypted-asset@sql-database": { - "synthetic_risk_id": "unencrypted-asset@sql-database", - "justification": "The hardening measures were implemented and checked", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "mitigated", - "date": "2020-01-04" - }, - "untrusted-deserialization@erp-system": { - "synthetic_risk_id": "untrusted-deserialization@erp-system", - "justification": "Risk accepted as tolerable", - "ticket": "XYZ-1234", - "checked_by": "John Doe", - "status": "accepted", - "date": "2020-01-04" - } - }, - "communication_links": { - "apache-webserver\u003eauth-credential-check-traffic": { - "id": "apache-webserver\u003eauth-credential-check-traffic", - "source_id": "apache-webserver", - "target_id": "identity-provider", - "title": "Auth Credential Check Traffic", - "description": "Link to the identity provider server", - "protocol": "https", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "apache-webserver\u003eerp-system-traffic": { - "id": "apache-webserver\u003eerp-system-traffic", - "source_id": "apache-webserver", - "target_id": "erp-system", - "title": "ERP System Traffic", - "description": "Link to the ERP system", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "backend-admin-client\u003edb-update-access": { - "id": "backend-admin-client\u003edb-update-access", - "source_id": "backend-admin-client", - "target_id": "sql-database", - "title": "DB Update Access", - "description": "Link to the database (JDBC tunneled via SSH)", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "db-dumps" - ], - "data_assets_received": [ - "db-dumps", - "erp-logs", - "customer-accounts", - "customer-operational-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "backend-admin-client\u003eerp-web-access": { - "id": "backend-admin-client\u003eerp-web-access", - "source_id": "backend-admin-client", - "target_id": "erp-system", - "title": "ERP Web Access", - "description": "Link to the ERP system (Web)", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "erp-customizing" - ], - "data_assets_received": [ - "erp-logs" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "backend-admin-client\u003euser-management-access": { - "id": "backend-admin-client\u003euser-management-access", - "source_id": "backend-admin-client", - "target_id": "ldap-auth-server", - "title": "User Management Access", - "description": "Link to the LDAP auth server for managing users", - "protocol": "ldaps", - "authentication": "credentials", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "customer-accounts" - ], - "data_assets_received": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "backoffice-client\u003eerp-internal-access": { - "id": "backoffice-client\u003eerp-internal-access", - "source_id": "backoffice-client", - "target_id": "erp-system", - "title": "ERP Internal Access", - "description": "Link to the ERP system", - "protocol": "https", - "tags": [ - "some-erp" - ], - "vpn": true, - "authentication": "token", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "internal-business-data" - ], - "data_assets_received": [ - "customer-contracts", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "backoffice-client\u003emarketing-cms-editing": { - "id": "backoffice-client\u003emarketing-cms-editing", - "source_id": "backoffice-client", - "target_id": "marketing-cms", - "title": "Marketing CMS Editing", - "description": "Link to the CMS for editing content", - "protocol": "https", - "vpn": true, - "authentication": "token", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "marketing-material" - ], - "data_assets_received": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "customer-client\u003ecustomer-traffic": { - "id": "customer-client\u003ecustomer-traffic", - "source_id": "customer-client", - "target_id": "load-balancer", - "title": "Customer Traffic", - "description": "Link to the load balancer", - "protocol": "https", - "authentication": "session-id", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code", - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "erp-system\u003edatabase-traffic": { - "id": "erp-system\u003edatabase-traffic", - "source_id": "erp-system", - "target_id": "sql-database", - "title": "Database Traffic", - "description": "Link to the DB system", - "protocol": "jdbc", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "erp-system\u003enfs-filesystem-access": { - "id": "erp-system\u003enfs-filesystem-access", - "source_id": "erp-system", - "target_id": "contract-file-server", - "title": "NFS Filesystem Access", - "description": "Link to the file system", - "protocol": "nfs", - "data_assets_sent": [ - "customer-contracts" - ], - "data_assets_received": [ - "customer-contracts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "external-dev-client\u003egit-repo-code-write-access": { - "id": "external-dev-client\u003egit-repo-code-write-access", - "source_id": "external-dev-client", - "target_id": "git-repo", - "title": "Git-Repo Code Write Access", - "description": "Link to the Git repo", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "external-dev-client\u003egit-repo-web-ui-access": { - "id": "external-dev-client\u003egit-repo-web-ui-access", - "source_id": "external-dev-client", - "target_id": "git-repo", - "title": "Git-Repo Web-UI Access", - "description": "Link to the Git repo", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "external-dev-client\u003ejenkins-web-ui-access": { - "id": "external-dev-client\u003ejenkins-web-ui-access", - "source_id": "external-dev-client", - "target_id": "jenkins-build-server", - "title": "Jenkins Web-UI Access", - "description": "Link to the Jenkins build server", - "protocol": "https", - "authentication": "credentials", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "build-job-config" - ], - "data_assets_received": [ - "build-job-config" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "identity-provider\u003eldap-credential-check-traffic": { - "id": "identity-provider\u003eldap-credential-check-traffic", - "source_id": "identity-provider", - "target_id": "ldap-auth-server", - "title": "LDAP Credential Check Traffic", - "description": "Link to the LDAP server", - "protocol": "ldaps", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "jenkins-build-server\u003eapplication-deployment": { - "id": "jenkins-build-server\u003eapplication-deployment", - "source_id": "jenkins-build-server", - "target_id": "apache-webserver", - "title": "Application Deployment", - "description": "Link to the Apache webserver", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "jenkins-build-server\u003ecms-updates": { - "id": "jenkins-build-server\u003ecms-updates", - "source_id": "jenkins-build-server", - "target_id": "marketing-cms", - "title": "CMS Updates", - "description": "Link to the CMS", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "jenkins-build-server\u003egit-repo-code-read-access": { - "id": "jenkins-build-server\u003egit-repo-code-read-access", - "source_id": "jenkins-build-server", - "target_id": "git-repo", - "title": "Git Repo Code Read Access", - "description": "Link to the Git repository server", - "protocol": "ssh", - "readonly": true, - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "load-balancer\u003ecms-content-traffic": { - "id": "load-balancer\u003ecms-content-traffic", - "source_id": "load-balancer", - "target_id": "marketing-cms", - "title": "CMS Content Traffic", - "description": "Link to the CMS server", - "protocol": "http", - "readonly": true, - "data_assets_received": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "load-balancer\u003eweb-application-traffic": { - "id": "load-balancer\u003eweb-application-traffic", - "source_id": "load-balancer", - "target_id": "apache-webserver", - "title": "Web Application Traffic", - "description": "Link to the web server", - "protocol": "http", - "authentication": "session-id", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - "marketing-cms\u003eauth-traffic": { - "id": "marketing-cms\u003eauth-traffic", - "source_id": "marketing-cms", - "target_id": "ldap-auth-server", - "title": "Auth Traffic", - "description": "Link to the LDAP auth server", - "protocol": "ldap", - "readonly": true, - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "data_assets_received": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - }, - "all_supported_tags": { - "aws": true, - "aws:apigateway": true, - "aws:dynamodb": true, - "aws:ebs": true, - "aws:ec2": true, - "aws:iam": true, - "aws:lambda": true, - "aws:rds": true, - "aws:s3": true, - "aws:sqs": true, - "aws:vpc": true, - "azure": true, - "docker": true, - "gcp": true, - "git": true, - "kubernetes": true, - "nexus": true, - "ocp": true, - "openshift": true, - "tomcat": true - }, - "diagram_tweak_nodesep": 2, - "diagram_tweak_ranksep": 2, - "incoming_technical_communication_links_mapped_by_target_id": { - "apache-webserver": [ - { - "id": "load-balancer\u003eweb-application-traffic", - "source_id": "load-balancer", - "target_id": "apache-webserver", - "title": "Web Application Traffic", - "description": "Link to the web server", - "protocol": "http", - "authentication": "session-id", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "jenkins-build-server\u003eapplication-deployment", - "source_id": "jenkins-build-server", - "target_id": "apache-webserver", - "title": "Application Deployment", - "description": "Link to the Apache webserver", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "contract-file-server": [ - { - "id": "erp-system\u003enfs-filesystem-access", - "source_id": "erp-system", - "target_id": "contract-file-server", - "title": "NFS Filesystem Access", - "description": "Link to the file system", - "protocol": "nfs", - "data_assets_sent": [ - "customer-contracts" - ], - "data_assets_received": [ - "customer-contracts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "erp-system": [ - { - "id": "backoffice-client\u003eerp-internal-access", - "source_id": "backoffice-client", - "target_id": "erp-system", - "title": "ERP Internal Access", - "description": "Link to the ERP system", - "protocol": "https", - "tags": [ - "some-erp" - ], - "vpn": true, - "authentication": "token", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "internal-business-data" - ], - "data_assets_received": [ - "customer-contracts", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backend-admin-client\u003eerp-web-access", - "source_id": "backend-admin-client", - "target_id": "erp-system", - "title": "ERP Web Access", - "description": "Link to the ERP system (Web)", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "erp-customizing" - ], - "data_assets_received": [ - "erp-logs" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "apache-webserver\u003eerp-system-traffic", - "source_id": "apache-webserver", - "target_id": "erp-system", - "title": "ERP System Traffic", - "description": "Link to the ERP system", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "git-repo": [ - { - "id": "jenkins-build-server\u003egit-repo-code-read-access", - "source_id": "jenkins-build-server", - "target_id": "git-repo", - "title": "Git Repo Code Read Access", - "description": "Link to the Git repository server", - "protocol": "ssh", - "readonly": true, - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "external-dev-client\u003egit-repo-web-ui-access", - "source_id": "external-dev-client", - "target_id": "git-repo", - "title": "Git-Repo Web-UI Access", - "description": "Link to the Git repo", - "protocol": "https", - "authentication": "token", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "external-dev-client\u003egit-repo-code-write-access", - "source_id": "external-dev-client", - "target_id": "git-repo", - "title": "Git-Repo Code Write Access", - "description": "Link to the Git repo", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "client-application-code", - "server-application-code" - ], - "data_assets_received": [ - "client-application-code", - "server-application-code" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "identity-provider": [ - { - "id": "apache-webserver\u003eauth-credential-check-traffic", - "source_id": "apache-webserver", - "target_id": "identity-provider", - "title": "Auth Credential Check Traffic", - "description": "Link to the identity provider server", - "protocol": "https", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "jenkins-build-server": [ - { - "id": "external-dev-client\u003ejenkins-web-ui-access", - "source_id": "external-dev-client", - "target_id": "jenkins-build-server", - "title": "Jenkins Web-UI Access", - "description": "Link to the Jenkins build server", - "protocol": "https", - "authentication": "credentials", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "build-job-config" - ], - "data_assets_received": [ - "build-job-config" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "ldap-auth-server": [ - { - "id": "marketing-cms\u003eauth-traffic", - "source_id": "marketing-cms", - "target_id": "ldap-auth-server", - "title": "Auth Traffic", - "description": "Link to the LDAP auth server", - "protocol": "ldap", - "readonly": true, - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "data_assets_received": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "identity-provider\u003eldap-credential-check-traffic", - "source_id": "identity-provider", - "target_id": "ldap-auth-server", - "title": "LDAP Credential Check Traffic", - "description": "Link to the LDAP server", - "protocol": "ldaps", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backend-admin-client\u003euser-management-access", - "source_id": "backend-admin-client", - "target_id": "ldap-auth-server", - "title": "User Management Access", - "description": "Link to the LDAP auth server for managing users", - "protocol": "ldaps", - "authentication": "credentials", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "customer-accounts" - ], - "data_assets_received": [ - "customer-accounts" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "load-balancer": [ - { - "id": "customer-client\u003ecustomer-traffic", - "source_id": "customer-client", - "target_id": "load-balancer", - "title": "Customer Traffic", - "description": "Link to the load balancer", - "protocol": "https", - "authentication": "session-id", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "customer-contracts", - "client-application-code", - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "marketing-cms": [ - { - "id": "load-balancer\u003ecms-content-traffic", - "source_id": "load-balancer", - "target_id": "marketing-cms", - "title": "CMS Content Traffic", - "description": "Link to the CMS server", - "protocol": "http", - "readonly": true, - "data_assets_received": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "jenkins-build-server\u003ecms-updates", - "source_id": "jenkins-build-server", - "target_id": "marketing-cms", - "title": "CMS Updates", - "description": "Link to the CMS", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backoffice-client\u003emarketing-cms-editing", - "source_id": "backoffice-client", - "target_id": "marketing-cms", - "title": "Marketing CMS Editing", - "description": "Link to the CMS for editing content", - "protocol": "https", - "vpn": true, - "authentication": "token", - "authorization": "end-user-identity-propagation", - "data_assets_sent": [ - "marketing-material" - ], - "data_assets_received": [ - "marketing-material" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ], - "sql-database": [ - { - "id": "erp-system\u003edatabase-traffic", - "source_id": "erp-system", - "target_id": "sql-database", - "title": "Database Traffic", - "description": "Link to the DB system", - "protocol": "jdbc", - "authentication": "credentials", - "authorization": "technical-user", - "data_assets_sent": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "data_assets_received": [ - "customer-accounts", - "customer-operational-data", - "internal-business-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - }, - { - "id": "backend-admin-client\u003edb-update-access", - "source_id": "backend-admin-client", - "target_id": "sql-database", - "title": "DB Update Access", - "description": "Link to the database (JDBC tunneled via SSH)", - "protocol": "ssh", - "authentication": "client-certificate", - "authorization": "technical-user", - "usage": "devops", - "data_assets_sent": [ - "db-dumps" - ], - "data_assets_received": [ - "db-dumps", - "erp-logs", - "customer-accounts", - "customer-operational-data" - ], - "diagram_tweak_weight": 1, - "diagram_tweak_constraint": true - } - ] - }, - "direct_containing_trust_boundary_mapped_by_technical_asset_id": { - "apache-webserver": { - "id": "web-dmz", - "title": "Web DMZ", - "description": "Web DMZ", - "type": "network-cloud-security-group", - "technical_assets_inside": [ - "apache-webserver", - "marketing-cms" - ] - }, - "backend-admin-client": { - "id": "dev-network", - "title": "Dev Network", - "description": "Development Network", - "technical_assets_inside": [ - "jenkins-build-server", - "git-repo", - "backend-admin-client", - "backoffice-client" - ] - }, - "backoffice-client": { - "id": "dev-network", - "title": "Dev Network", - "description": "Development Network", - "technical_assets_inside": [ - "jenkins-build-server", - "git-repo", - "backend-admin-client", - "backoffice-client" - ] - }, - "contract-file-server": { - "id": "erp-dmz", - "title": "ERP DMZ", - "description": "ERP DMZ", - "type": "network-cloud-security-group", - "tags": [ - "some-erp" - ], - "technical_assets_inside": [ - "erp-system", - "contract-file-server", - "sql-database" - ] - }, - "erp-system": { - "id": "erp-dmz", - "title": "ERP DMZ", - "description": "ERP DMZ", - "type": "network-cloud-security-group", - "tags": [ - "some-erp" - ], - "technical_assets_inside": [ - "erp-system", - "contract-file-server", - "sql-database" - ] - }, - "git-repo": { - "id": "dev-network", - "title": "Dev Network", - "description": "Development Network", - "technical_assets_inside": [ - "jenkins-build-server", - "git-repo", - "backend-admin-client", - "backoffice-client" - ] - }, - "identity-provider": { - "id": "auth-env", - "title": "Auth Handling Environment", - "description": "Auth Handling Environment", - "type": "execution-environment", - "technical_assets_inside": [ - "identity-provider", - "ldap-auth-server" - ] - }, - "jenkins-build-server": { - "id": "dev-network", - "title": "Dev Network", - "description": "Development Network", - "technical_assets_inside": [ - "jenkins-build-server", - "git-repo", - "backend-admin-client", - "backoffice-client" - ] - }, - "ldap-auth-server": { - "id": "auth-env", - "title": "Auth Handling Environment", - "description": "Auth Handling Environment", - "type": "execution-environment", - "technical_assets_inside": [ - "identity-provider", - "ldap-auth-server" - ] - }, - "load-balancer": { - "id": "application-network", - "title": "Application Network", - "description": "Application Network", - "type": "network-cloud-provider", - "tags": [ - "aws" - ], - "technical_assets_inside": [ - "load-balancer" - ], - "trust_boundaries_nested": [ - "web-dmz", - "erp-dmz", - "auth-env" - ] - }, - "marketing-cms": { - "id": "web-dmz", - "title": "Web DMZ", - "description": "Web DMZ", - "type": "network-cloud-security-group", - "technical_assets_inside": [ - "apache-webserver", - "marketing-cms" - ] - }, - "sql-database": { - "id": "erp-dmz", - "title": "ERP DMZ", - "description": "ERP DMZ", - "type": "network-cloud-security-group", - "tags": [ - "some-erp" - ], - "technical_assets_inside": [ - "erp-system", - "contract-file-server", - "sql-database" - ] - } - }, - "generated_risks_by_category": { - "accidental-secret-leak": [ - { - "category": "accidental-secret-leak", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eAccidental Secret Leak (Git)\u003c/b\u003e risk at \u003cb\u003eGit Repository\u003c/b\u003e: \u003cu\u003eGit Leak Prevention\u003c/u\u003e", - "synthetic_id": "accidental-secret-leak@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "git-repo" - ] - } - ], - "code-backdooring": [ - { - "category": "code-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eCode Backdooring\u003c/b\u003e risk at \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "code-backdooring@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - { - "category": "code-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eCode Backdooring\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "code-backdooring@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "marketing-cms", - "jenkins-build-server", - "apache-webserver" - ] - } - ], - "container-baseimage-backdooring": [ - { - "category": "container-baseimage-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eContainer Base Image Backdooring\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "container-baseimage-backdooring@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "container-baseimage-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eContainer Base Image Backdooring\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "container-baseimage-backdooring@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "marketing-cms" - ] - } - ], - "cross-site-request-forgery": [ - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e via \u003cb\u003eWeb Application Traffic\u003c/b\u003e from \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@apache-webserver@load-balancer\u003eweb-application-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "load-balancer\u003eweb-application-traffic", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP Internal Access\u003c/b\u003e from \u003cb\u003eBackoffice Client\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@erp-system@backoffice-client\u003eerp-internal-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backoffice-client\u003eerp-internal-access", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP System Traffic\u003c/b\u003e from \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@erp-system@apache-webserver\u003eerp-system-traffic", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e via \u003cb\u003eAuth Credential Check Traffic\u003c/b\u003e from \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@identity-provider@apache-webserver\u003eauth-credential-check-traffic", - "most_relevant_technical_asset": "identity-provider", - "most_relevant_communication_link": "apache-webserver\u003eauth-credential-check-traffic", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e via \u003cb\u003eCMS Content Traffic\u003c/b\u003e from \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@marketing-cms@load-balancer\u003ecms-content-traffic", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "load-balancer\u003ecms-content-traffic", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e via \u003cb\u003eMarketing CMS Editing\u003c/b\u003e from \u003cb\u003eBackoffice Client\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@marketing-cms@backoffice-client\u003emarketing-cms-editing", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "backoffice-client\u003emarketing-cms-editing", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP Web Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@erp-system@backend-admin-client\u003eerp-web-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backend-admin-client\u003eerp-web-access", - "data_breach_technical_assets": [ - "erp-system" - ] - } - ], - "cross-site-scripting": [ - { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms" - ] - } - ], - "dos-risky-access-across-trust-boundary": [ - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eApache Webserver\u003c/b\u003e by \u003cb\u003eCustomer Web Client\u003c/b\u003e via \u003cb\u003eCustomer Traffic\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client\u003ecustomer-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "customer-client\u003ecustomer-traffic" - }, - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eBackoffice ERP System\u003c/b\u003e by \u003cb\u003eApache Webserver\u003c/b\u003e via \u003cb\u003eERP System Traffic\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver\u003eerp-system-traffic", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic" - }, - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eBackoffice ERP System\u003c/b\u003e by \u003cb\u003eBackoffice Client\u003c/b\u003e via \u003cb\u003eERP Internal Access\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client\u003eerp-internal-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backoffice-client\u003eerp-internal-access" - }, - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eIdentity Provider\u003c/b\u003e by \u003cb\u003eApache Webserver\u003c/b\u003e via \u003cb\u003eAuth Credential Check Traffic\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver\u003eauth-credential-check-traffic", - "most_relevant_technical_asset": "identity-provider", - "most_relevant_communication_link": "apache-webserver\u003eauth-credential-check-traffic" - }, - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eLDAP Auth Server\u003c/b\u003e by \u003cb\u003eMarketing CMS\u003c/b\u003e via \u003cb\u003eAuth Traffic\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms\u003eauth-traffic", - "most_relevant_technical_asset": "ldap-auth-server", - "most_relevant_communication_link": "marketing-cms\u003eauth-traffic" - }, - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eMarketing CMS\u003c/b\u003e by \u003cb\u003eBackoffice Client\u003c/b\u003e via \u003cb\u003eMarketing CMS Editing\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client\u003emarketing-cms-editing", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "backoffice-client\u003emarketing-cms-editing" - }, - { - "category": "dos-risky-access-across-trust-boundary", - "risk_status": "in-progress", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eMarketing CMS\u003c/b\u003e by \u003cb\u003eCustomer Web Client\u003c/b\u003e via \u003cb\u003eCustomer Traffic\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client\u003ecustomer-traffic", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "customer-client\u003ecustomer-traffic" - } - ], - "ldap-injection": [ - { - "category": "ldap-injection", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eLDAP-Injection\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e against LDAP server \u003cb\u003eLDAP Auth Server\u003c/b\u003e via \u003cb\u003eLDAP Credential Check Traffic\u003c/b\u003e", - "synthetic_id": "ldap-injection@identity-provider@ldap-auth-server@identity-provider\u003eldap-credential-check-traffic", - "most_relevant_technical_asset": "identity-provider", - "most_relevant_communication_link": "identity-provider\u003eldap-credential-check-traffic", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - { - "category": "ldap-injection", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eLDAP-Injection\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e against LDAP server \u003cb\u003eLDAP Auth Server\u003c/b\u003e via \u003cb\u003eAuth Traffic\u003c/b\u003e", - "synthetic_id": "ldap-injection@marketing-cms@ldap-auth-server@marketing-cms\u003eauth-traffic", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "marketing-cms\u003eauth-traffic", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - } - ], - "missing-authentication": [ - { - "category": "missing-authentication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Authentication\u003c/b\u003e covering communication link \u003cb\u003eCMS Content Traffic\u003c/b\u003e from \u003cb\u003eLoad Balancer\u003c/b\u003e to \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "missing-authentication@load-balancer\u003ecms-content-traffic@load-balancer@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "load-balancer\u003ecms-content-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - { - "category": "missing-authentication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Authentication\u003c/b\u003e covering communication link \u003cb\u003eNFS Filesystem Access\u003c/b\u003e from \u003cb\u003eBackoffice ERP System\u003c/b\u003e to \u003cb\u003eContract Fileserver\u003c/b\u003e", - "synthetic_id": "missing-authentication@erp-system\u003enfs-filesystem-access@erp-system@contract-file-server", - "most_relevant_technical_asset": "contract-file-server", - "most_relevant_communication_link": "erp-system\u003enfs-filesystem-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "contract-file-server" - ] - } - ], - "missing-authentication-second-factor": [ - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eCMS Content Traffic\u003c/b\u003e from \u003cb\u003eCustomer Web Client\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e to \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "missing-authentication@load-balancer\u003ecms-content-traffic@load-balancer@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "load-balancer\u003ecms-content-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eDB Update Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e to \u003cb\u003eCustomer Contract Database\u003c/b\u003e", - "synthetic_id": "missing-authentication@backend-admin-client\u003edb-update-access@backend-admin-client@sql-database", - "most_relevant_technical_asset": "sql-database", - "most_relevant_communication_link": "backend-admin-client\u003edb-update-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eERP Internal Access\u003c/b\u003e from \u003cb\u003eBackoffice Client\u003c/b\u003e to \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-authentication@backoffice-client\u003eerp-internal-access@backoffice-client@erp-system", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backoffice-client\u003eerp-internal-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eERP Web Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e to \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-authentication@backend-admin-client\u003eerp-web-access@backend-admin-client@erp-system", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backend-admin-client\u003eerp-web-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eGit-Repo Code Write Access\u003c/b\u003e from \u003cb\u003eExternal Development Client\u003c/b\u003e to \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "missing-authentication@external-dev-client\u003egit-repo-code-write-access@external-dev-client@git-repo", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-code-write-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eGit-Repo Web-UI Access\u003c/b\u003e from \u003cb\u003eExternal Development Client\u003c/b\u003e to \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "missing-authentication@external-dev-client\u003egit-repo-web-ui-access@external-dev-client@git-repo", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eJenkins Web-UI Access\u003c/b\u003e from \u003cb\u003eExternal Development Client\u003c/b\u003e to \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "missing-authentication@external-dev-client\u003ejenkins-web-ui-access@external-dev-client@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "most_relevant_communication_link": "external-dev-client\u003ejenkins-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eUser Management Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e to \u003cb\u003eLDAP Auth Server\u003c/b\u003e", - "synthetic_id": "missing-authentication@backend-admin-client\u003euser-management-access@backend-admin-client@ldap-auth-server", - "most_relevant_technical_asset": "ldap-auth-server", - "most_relevant_communication_link": "backend-admin-client\u003euser-management-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eWeb Application Traffic\u003c/b\u003e from \u003cb\u003eCustomer Web Client\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e to \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-authentication@load-balancer\u003eweb-application-traffic@load-balancer@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "load-balancer\u003eweb-application-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver" - ] - } - ], - "missing-cloud-hardening": [ - { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening (AWS)\u003c/b\u003e risk at \u003cb\u003eApplication Network\u003c/b\u003e: \u003cu\u003eCIS Benchmark for AWS\u003c/u\u003e", - "synthetic_id": "missing-cloud-hardening@application-network", - "most_relevant_trust_boundary": "application-network", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "load-balancer", - "apache-webserver", - "marketing-cms", - "erp-system", - "contract-file-server", - "sql-database", - "identity-provider", - "ldap-auth-server" - ] - }, - { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening (EC2)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e: \u003cu\u003eCIS Benchmark for Amazon Linux\u003c/u\u003e", - "synthetic_id": "missing-cloud-hardening@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening\u003c/b\u003e risk at \u003cb\u003eERP DMZ\u003c/b\u003e", - "synthetic_id": "missing-cloud-hardening@erp-dmz", - "most_relevant_trust_boundary": "erp-dmz", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "erp-system", - "contract-file-server", - "sql-database" - ] - }, - { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening\u003c/b\u003e risk at \u003cb\u003eWeb DMZ\u003c/b\u003e", - "synthetic_id": "missing-cloud-hardening@web-dmz", - "most_relevant_trust_boundary": "web-dmz", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms" - ] - }, - { - "category": "missing-cloud-hardening", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eMissing Cloud Hardening (S3)\u003c/b\u003e risk at \u003cb\u003eContract Fileserver\u003c/b\u003e: \u003cu\u003eSecurity Best Practices for AWS S3\u003c/u\u003e", - "synthetic_id": "missing-cloud-hardening@contract-file-server", - "most_relevant_technical_asset": "contract-file-server", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "contract-file-server" - ] - } - ], - "missing-file-validation": [ - { - "category": "missing-file-validation", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing File Validation\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-file-validation@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver" - ] - } - ], - "missing-hardening": [ - { - "category": "missing-hardening", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-hardening@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "missing-hardening", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-hardening@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "missing-hardening", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eCustomer Contract Database\u003c/b\u003e", - "synthetic_id": "missing-hardening@sql-database", - "most_relevant_technical_asset": "sql-database", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - { - "category": "missing-hardening", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "missing-hardening@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - { - "category": "missing-hardening", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "missing-hardening@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - { - "category": "missing-hardening", - "risk_status": "mitigated", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eLDAP Auth Server\u003c/b\u003e", - "synthetic_id": "missing-hardening@ldap-auth-server", - "most_relevant_technical_asset": "ldap-auth-server", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - } - ], - "missing-identity-propagation": [ - { - "category": "missing-identity-propagation", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing End User Identity Propagation\u003c/b\u003e over communication link \u003cb\u003eERP System Traffic\u003c/b\u003e from \u003cb\u003eApache Webserver\u003c/b\u003e to \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-identity-propagation@apache-webserver\u003eerp-system-traffic@apache-webserver@erp-system", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic", - "data_breach_technical_assets": [ - "erp-system" - ] - } - ], - "missing-network-segmentation": [ - { - "category": "missing-network-segmentation", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Network Segmentation\u003c/b\u003e to further encapsulate and protect \u003cb\u003eApache Webserver\u003c/b\u003e against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers", - "synthetic_id": "missing-network-segmentation@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "missing-network-segmentation", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Network Segmentation\u003c/b\u003e to further encapsulate and protect \u003cb\u003eJenkins Buildserver\u003c/b\u003e against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers", - "synthetic_id": "missing-network-segmentation@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - } - ], - "missing-vault": [ - { - "category": "missing-vault", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Vault (Secret Storage)\u003c/b\u003e in the threat model (referencing asset \u003cb\u003eBackoffice ERP System\u003c/b\u003e as an example)", - "synthetic_id": "missing-vault@erp-system", - "most_relevant_technical_asset": "erp-system" - } - ], - "missing-waf": [ - { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-waf@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-waf@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "missing-waf@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "missing-waf@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_technical_assets": [ - "marketing-cms" - ] - } - ], - "mixed-targets-on-shared-runtime": [ - { - "category": "mixed-targets-on-shared-runtime", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMixed Targets on Shared Runtime\u003c/b\u003e named \u003cb\u003eWebApp and Backoffice Virtualization\u003c/b\u003e might enable attackers moving from one less valuable target to a more valuable one", - "synthetic_id": "mixed-targets-on-shared-runtime@webapp-virtualization", - "most_relevant_shared_runtime": "webapp-virtualization", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms", - "erp-system", - "contract-file-server", - "sql-database" - ] - } - ], - "path-traversal": [ - { - "category": "path-traversal", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003ePath-Traversal\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e against filesystem \u003cb\u003eContract Fileserver\u003c/b\u003e via \u003cb\u003eNFS Filesystem Access\u003c/b\u003e", - "synthetic_id": "path-traversal@erp-system@contract-file-server@erp-system\u003enfs-filesystem-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003enfs-filesystem-access", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "contract-file-server" - ] - } - ], - "push-instead-of-pull-deployment": [ - { - "category": "push-instead-of-pull-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003ePush instead of Pull Deployment\u003c/b\u003e at \u003cb\u003eApache Webserver\u003c/b\u003e via build pipeline asset \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "push-instead-of-pull-deployment@jenkins-build-server", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "jenkins-build-server\u003eapplication-deployment", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "push-instead-of-pull-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003ePush instead of Pull Deployment\u003c/b\u003e at \u003cb\u003eMarketing CMS\u003c/b\u003e via build pipeline asset \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "push-instead-of-pull-deployment@jenkins-build-server", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "jenkins-build-server\u003ecms-updates", - "data_breach_technical_assets": [ - "marketing-cms" - ] - } - ], - "server-side-request-forgery": [ - { - "category": "server-side-request-forgery", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eServer-Side Request Forgery (SSRF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e server-side web-requesting the target \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP System Traffic\u003c/b\u003e", - "synthetic_id": "server-side-request-forgery@apache-webserver@erp-system@apache-webserver\u003eerp-system-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms" - ] - }, - { - "category": "server-side-request-forgery", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eServer-Side Request Forgery (SSRF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e server-side web-requesting the target \u003cb\u003eIdentity Provider\u003c/b\u003e via \u003cb\u003eAuth Credential Check Traffic\u003c/b\u003e", - "synthetic_id": "server-side-request-forgery@apache-webserver@identity-provider@apache-webserver\u003eauth-credential-check-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "apache-webserver\u003eauth-credential-check-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms" - ] - } - ], - "something-strange": [ - { - "category": "something-strange", - "severity": "critical", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eExample Individual Risk\u003c/b\u003e at \u003cb\u003eDatabase\u003c/b\u003e", - "synthetic_id": "something-strange@sql-database", - "most_relevant_technical_asset": "sql-database", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - { - "category": "something-strange", - "severity": "medium", - "exploitation_likelihood": "frequent", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eExample Individual Risk\u003c/b\u003e at \u003cb\u003eContract Filesystem\u003c/b\u003e", - "synthetic_id": "something-strange@contract-file-server", - "most_relevant_technical_asset": "contract-file-server" - } - ], - "sql-nosql-injection": [ - { - "category": "sql-nosql-injection", - "severity": "high", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eSQL/NoSQL-Injection\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e against database \u003cb\u003eCustomer Contract Database\u003c/b\u003e via \u003cb\u003eDatabase Traffic\u003c/b\u003e", - "synthetic_id": "sql-nosql-injection@erp-system@sql-database@erp-system\u003edatabase-traffic", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003edatabase-traffic", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "sql-database" - ] - } - ], - "unchecked-deployment": [ - { - "category": "unchecked-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnchecked Deployment\u003c/b\u003e risk at \u003cb\u003eExternal Development Client\u003c/b\u003e", - "synthetic_id": "unchecked-deployment@external-dev-client", - "most_relevant_technical_asset": "external-dev-client", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "external-dev-client", - "git-repo", - "jenkins-build-server" - ] - }, - { - "category": "unchecked-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnchecked Deployment\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "unchecked-deployment@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms", - "jenkins-build-server", - "apache-webserver" - ] - }, - { - "category": "unchecked-deployment", - "title": "\u003cb\u003eUnchecked Deployment\u003c/b\u003e risk at \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "unchecked-deployment@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - } - ], - "unencrypted-asset": [ - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eBackoffice ERP System\u003c/b\u003e missing end user individual encryption with data-with-end-user-individual-key", - "synthetic_id": "unencrypted-asset@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eContract Fileserver\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@contract-file-server", - "most_relevant_technical_asset": "contract-file-server", - "data_breach_technical_assets": [ - "contract-file-server" - ] - }, - { - "category": "unencrypted-asset", - "risk_status": "mitigated", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eCustomer Contract Database\u003c/b\u003e missing end user individual encryption with data-with-end-user-individual-key", - "synthetic_id": "unencrypted-asset@sql-database", - "most_relevant_technical_asset": "sql-database", - "data_breach_technical_assets": [ - "sql-database" - ] - } - ], - "unencrypted-communication": [ - { - "category": "unencrypted-communication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eAuth Traffic\u003c/b\u003e between \u003cb\u003eMarketing CMS\u003c/b\u003e and \u003cb\u003eLDAP Auth Server\u003c/b\u003e transferring authentication data (like credentials, token, session-id, etc.)", - "synthetic_id": "unencrypted-communication@marketing-cms\u003eauth-traffic@marketing-cms@ldap-auth-server", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "marketing-cms\u003eauth-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - { - "category": "unencrypted-communication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eWeb Application Traffic\u003c/b\u003e between \u003cb\u003eLoad Balancer\u003c/b\u003e and \u003cb\u003eApache Webserver\u003c/b\u003e transferring authentication data (like credentials, token, session-id, etc.)", - "synthetic_id": "unencrypted-communication@load-balancer\u003eweb-application-traffic@load-balancer@apache-webserver", - "most_relevant_technical_asset": "load-balancer", - "most_relevant_communication_link": "load-balancer\u003eweb-application-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - { - "category": "unencrypted-communication", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eDatabase Traffic\u003c/b\u003e between \u003cb\u003eBackoffice ERP System\u003c/b\u003e and \u003cb\u003eCustomer Contract Database\u003c/b\u003e transferring authentication data (like credentials, token, session-id, etc.)", - "synthetic_id": "unencrypted-communication@erp-system\u003edatabase-traffic@erp-system@sql-database", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003edatabase-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - { - "category": "unencrypted-communication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eNFS Filesystem Access\u003c/b\u003e between \u003cb\u003eBackoffice ERP System\u003c/b\u003e and \u003cb\u003eContract Fileserver\u003c/b\u003e", - "synthetic_id": "unencrypted-communication@erp-system\u003enfs-filesystem-access@erp-system@contract-file-server", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003enfs-filesystem-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "contract-file-server" - ] - } - ], - "unguarded-access-from-internet": [ - { - "category": "unguarded-access-from-internet", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnguarded Access from Internet\u003c/b\u003e of \u003cb\u003eGit Repository\u003c/b\u003e by \u003cb\u003eExternal Development Client\u003c/b\u003e via \u003cb\u003eGit-Repo Code Write Access\u003c/b\u003e", - "synthetic_id": "unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client\u003egit-repo-code-write-access", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-code-write-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - { - "category": "unguarded-access-from-internet", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnguarded Access from Internet\u003c/b\u003e of \u003cb\u003eGit Repository\u003c/b\u003e by \u003cb\u003eExternal Development Client\u003c/b\u003e via \u003cb\u003eGit-Repo Web-UI Access\u003c/b\u003e", - "synthetic_id": "unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client\u003egit-repo-web-ui-access", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - { - "category": "unguarded-access-from-internet", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnguarded Access from Internet\u003c/b\u003e of \u003cb\u003eJenkins Buildserver\u003c/b\u003e by \u003cb\u003eExternal Development Client\u003c/b\u003e via \u003cb\u003eJenkins Web-UI Access\u003c/b\u003e", - "synthetic_id": "unguarded-access-from-internet@jenkins-build-server@external-dev-client@external-dev-client\u003ejenkins-web-ui-access", - "most_relevant_technical_asset": "jenkins-build-server", - "most_relevant_communication_link": "external-dev-client\u003ejenkins-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - } - ], - "untrusted-deserialization": [ - { - "category": "untrusted-deserialization", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eUntrusted Deserialization\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "untrusted-deserialization@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - { - "category": "untrusted-deserialization", - "risk_status": "accepted", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eUntrusted Deserialization\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "untrusted-deserialization@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "erp-system" - ] - } - ], - "xml-external-entity": [ - { - "category": "xml-external-entity", - "severity": "high", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eXML External Entity (XXE)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "xml-external-entity@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "erp-system" - ] - } - ] - }, - "generated_risks_by_synthetic_id": { - "accidental-secret-leak@git-repo": { - "category": "accidental-secret-leak", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eAccidental Secret Leak (Git)\u003c/b\u003e risk at \u003cb\u003eGit Repository\u003c/b\u003e: \u003cu\u003eGit Leak Prevention\u003c/u\u003e", - "synthetic_id": "accidental-secret-leak@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "code-backdooring@git-repo": { - "category": "code-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eCode Backdooring\u003c/b\u003e risk at \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "code-backdooring@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "code-backdooring@jenkins-build-server": { - "category": "code-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eCode Backdooring\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "code-backdooring@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "marketing-cms", - "jenkins-build-server", - "apache-webserver" - ] - }, - "container-baseimage-backdooring@apache-webserver": { - "category": "container-baseimage-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eContainer Base Image Backdooring\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "container-baseimage-backdooring@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "container-baseimage-backdooring@marketing-cms": { - "category": "container-baseimage-backdooring", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eContainer Base Image Backdooring\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "container-baseimage-backdooring@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "cross-site-request-forgery@apache-webserver@load-balancer\u003eweb-application-traffic": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e via \u003cb\u003eWeb Application Traffic\u003c/b\u003e from \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@apache-webserver@load-balancer\u003eweb-application-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "load-balancer\u003eweb-application-traffic", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "cross-site-request-forgery@erp-system@apache-webserver\u003eerp-system-traffic": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP System Traffic\u003c/b\u003e from \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@erp-system@apache-webserver\u003eerp-system-traffic", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "cross-site-request-forgery@erp-system@backend-admin-client\u003eerp-web-access": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP Web Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@erp-system@backend-admin-client\u003eerp-web-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backend-admin-client\u003eerp-web-access", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "cross-site-request-forgery@erp-system@backoffice-client\u003eerp-internal-access": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP Internal Access\u003c/b\u003e from \u003cb\u003eBackoffice Client\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@erp-system@backoffice-client\u003eerp-internal-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backoffice-client\u003eerp-internal-access", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "cross-site-request-forgery@identity-provider@apache-webserver\u003eauth-credential-check-traffic": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e via \u003cb\u003eAuth Credential Check Traffic\u003c/b\u003e from \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@identity-provider@apache-webserver\u003eauth-credential-check-traffic", - "most_relevant_technical_asset": "identity-provider", - "most_relevant_communication_link": "apache-webserver\u003eauth-credential-check-traffic", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - "cross-site-request-forgery@marketing-cms@backoffice-client\u003emarketing-cms-editing": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e via \u003cb\u003eMarketing CMS Editing\u003c/b\u003e from \u003cb\u003eBackoffice Client\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@marketing-cms@backoffice-client\u003emarketing-cms-editing", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "backoffice-client\u003emarketing-cms-editing", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "cross-site-request-forgery@marketing-cms@load-balancer\u003ecms-content-traffic": { - "category": "cross-site-request-forgery", - "severity": "medium", - "exploitation_likelihood": "very-likely", - "title": "\u003cb\u003eCross-Site Request Forgery (CSRF)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e via \u003cb\u003eCMS Content Traffic\u003c/b\u003e from \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "cross-site-request-forgery@marketing-cms@load-balancer\u003ecms-content-traffic", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "load-balancer\u003ecms-content-traffic", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "cross-site-scripting@apache-webserver": { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "cross-site-scripting@erp-system": { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "cross-site-scripting@identity-provider": { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - "cross-site-scripting@marketing-cms": { - "category": "cross-site-scripting", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eCross-Site Scripting (XSS)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "cross-site-scripting@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client\u003ecustomer-traffic": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eApache Webserver\u003c/b\u003e by \u003cb\u003eCustomer Web Client\u003c/b\u003e via \u003cb\u003eCustomer Traffic\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client\u003ecustomer-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "customer-client\u003ecustomer-traffic" - }, - "dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver\u003eerp-system-traffic": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eBackoffice ERP System\u003c/b\u003e by \u003cb\u003eApache Webserver\u003c/b\u003e via \u003cb\u003eERP System Traffic\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver\u003eerp-system-traffic", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic" - }, - "dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client\u003eerp-internal-access": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eBackoffice ERP System\u003c/b\u003e by \u003cb\u003eBackoffice Client\u003c/b\u003e via \u003cb\u003eERP Internal Access\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client\u003eerp-internal-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backoffice-client\u003eerp-internal-access" - }, - "dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver\u003eauth-credential-check-traffic": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eIdentity Provider\u003c/b\u003e by \u003cb\u003eApache Webserver\u003c/b\u003e via \u003cb\u003eAuth Credential Check Traffic\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver\u003eauth-credential-check-traffic", - "most_relevant_technical_asset": "identity-provider", - "most_relevant_communication_link": "apache-webserver\u003eauth-credential-check-traffic" - }, - "dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms\u003eauth-traffic": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eLDAP Auth Server\u003c/b\u003e by \u003cb\u003eMarketing CMS\u003c/b\u003e via \u003cb\u003eAuth Traffic\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms\u003eauth-traffic", - "most_relevant_technical_asset": "ldap-auth-server", - "most_relevant_communication_link": "marketing-cms\u003eauth-traffic" - }, - "dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client\u003emarketing-cms-editing": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eMarketing CMS\u003c/b\u003e by \u003cb\u003eBackoffice Client\u003c/b\u003e via \u003cb\u003eMarketing CMS Editing\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client\u003emarketing-cms-editing", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "backoffice-client\u003emarketing-cms-editing" - }, - "dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client\u003ecustomer-traffic": { - "category": "dos-risky-access-across-trust-boundary", - "title": "\u003cb\u003eDenial-of-Service\u003c/b\u003e risky access of \u003cb\u003eMarketing CMS\u003c/b\u003e by \u003cb\u003eCustomer Web Client\u003c/b\u003e via \u003cb\u003eCustomer Traffic\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e", - "synthetic_id": "dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client\u003ecustomer-traffic", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "customer-client\u003ecustomer-traffic" - }, - "ldap-injection@identity-provider@ldap-auth-server@identity-provider\u003eldap-credential-check-traffic": { - "category": "ldap-injection", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eLDAP-Injection\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e against LDAP server \u003cb\u003eLDAP Auth Server\u003c/b\u003e via \u003cb\u003eLDAP Credential Check Traffic\u003c/b\u003e", - "synthetic_id": "ldap-injection@identity-provider@ldap-auth-server@identity-provider\u003eldap-credential-check-traffic", - "most_relevant_technical_asset": "identity-provider", - "most_relevant_communication_link": "identity-provider\u003eldap-credential-check-traffic", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - "ldap-injection@marketing-cms@ldap-auth-server@marketing-cms\u003eauth-traffic": { - "category": "ldap-injection", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eLDAP-Injection\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e against LDAP server \u003cb\u003eLDAP Auth Server\u003c/b\u003e via \u003cb\u003eAuth Traffic\u003c/b\u003e", - "synthetic_id": "ldap-injection@marketing-cms@ldap-auth-server@marketing-cms\u003eauth-traffic", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "marketing-cms\u003eauth-traffic", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - "missing-authentication@backend-admin-client\u003edb-update-access@backend-admin-client@sql-database": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eDB Update Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e to \u003cb\u003eCustomer Contract Database\u003c/b\u003e", - "synthetic_id": "missing-authentication@backend-admin-client\u003edb-update-access@backend-admin-client@sql-database", - "most_relevant_technical_asset": "sql-database", - "most_relevant_communication_link": "backend-admin-client\u003edb-update-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - "missing-authentication@backend-admin-client\u003eerp-web-access@backend-admin-client@erp-system": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eERP Web Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e to \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-authentication@backend-admin-client\u003eerp-web-access@backend-admin-client@erp-system", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backend-admin-client\u003eerp-web-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "missing-authentication@backend-admin-client\u003euser-management-access@backend-admin-client@ldap-auth-server": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eUser Management Access\u003c/b\u003e from \u003cb\u003eBackend Admin Client\u003c/b\u003e to \u003cb\u003eLDAP Auth Server\u003c/b\u003e", - "synthetic_id": "missing-authentication@backend-admin-client\u003euser-management-access@backend-admin-client@ldap-auth-server", - "most_relevant_technical_asset": "ldap-auth-server", - "most_relevant_communication_link": "backend-admin-client\u003euser-management-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - "missing-authentication@backoffice-client\u003eerp-internal-access@backoffice-client@erp-system": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eERP Internal Access\u003c/b\u003e from \u003cb\u003eBackoffice Client\u003c/b\u003e to \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-authentication@backoffice-client\u003eerp-internal-access@backoffice-client@erp-system", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "backoffice-client\u003eerp-internal-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "missing-authentication@erp-system\u003enfs-filesystem-access@erp-system@contract-file-server": { - "category": "missing-authentication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Authentication\u003c/b\u003e covering communication link \u003cb\u003eNFS Filesystem Access\u003c/b\u003e from \u003cb\u003eBackoffice ERP System\u003c/b\u003e to \u003cb\u003eContract Fileserver\u003c/b\u003e", - "synthetic_id": "missing-authentication@erp-system\u003enfs-filesystem-access@erp-system@contract-file-server", - "most_relevant_technical_asset": "contract-file-server", - "most_relevant_communication_link": "erp-system\u003enfs-filesystem-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "contract-file-server" - ] - }, - "missing-authentication@external-dev-client\u003egit-repo-code-write-access@external-dev-client@git-repo": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eGit-Repo Code Write Access\u003c/b\u003e from \u003cb\u003eExternal Development Client\u003c/b\u003e to \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "missing-authentication@external-dev-client\u003egit-repo-code-write-access@external-dev-client@git-repo", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-code-write-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "missing-authentication@external-dev-client\u003egit-repo-web-ui-access@external-dev-client@git-repo": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eGit-Repo Web-UI Access\u003c/b\u003e from \u003cb\u003eExternal Development Client\u003c/b\u003e to \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "missing-authentication@external-dev-client\u003egit-repo-web-ui-access@external-dev-client@git-repo", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "missing-authentication@external-dev-client\u003ejenkins-web-ui-access@external-dev-client@jenkins-build-server": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eJenkins Web-UI Access\u003c/b\u003e from \u003cb\u003eExternal Development Client\u003c/b\u003e to \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "missing-authentication@external-dev-client\u003ejenkins-web-ui-access@external-dev-client@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "most_relevant_communication_link": "external-dev-client\u003ejenkins-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - "missing-authentication@load-balancer\u003ecms-content-traffic@load-balancer@marketing-cms": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eCMS Content Traffic\u003c/b\u003e from \u003cb\u003eCustomer Web Client\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e to \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "missing-authentication@load-balancer\u003ecms-content-traffic@load-balancer@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "load-balancer\u003ecms-content-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "missing-authentication@load-balancer\u003eweb-application-traffic@load-balancer@apache-webserver": { - "category": "missing-authentication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Two-Factor Authentication\u003c/b\u003e covering communication link \u003cb\u003eWeb Application Traffic\u003c/b\u003e from \u003cb\u003eCustomer Web Client\u003c/b\u003e forwarded via \u003cb\u003eLoad Balancer\u003c/b\u003e to \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-authentication@load-balancer\u003eweb-application-traffic@load-balancer@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "load-balancer\u003eweb-application-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "missing-cloud-hardening@apache-webserver": { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening (EC2)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e: \u003cu\u003eCIS Benchmark for Amazon Linux\u003c/u\u003e", - "synthetic_id": "missing-cloud-hardening@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "missing-cloud-hardening@application-network": { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening (AWS)\u003c/b\u003e risk at \u003cb\u003eApplication Network\u003c/b\u003e: \u003cu\u003eCIS Benchmark for AWS\u003c/u\u003e", - "synthetic_id": "missing-cloud-hardening@application-network", - "most_relevant_trust_boundary": "application-network", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "load-balancer", - "apache-webserver", - "marketing-cms", - "erp-system", - "contract-file-server", - "sql-database", - "identity-provider", - "ldap-auth-server" - ] - }, - "missing-cloud-hardening@contract-file-server": { - "category": "missing-cloud-hardening", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eMissing Cloud Hardening (S3)\u003c/b\u003e risk at \u003cb\u003eContract Fileserver\u003c/b\u003e: \u003cu\u003eSecurity Best Practices for AWS S3\u003c/u\u003e", - "synthetic_id": "missing-cloud-hardening@contract-file-server", - "most_relevant_technical_asset": "contract-file-server", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "contract-file-server" - ] - }, - "missing-cloud-hardening@erp-dmz": { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening\u003c/b\u003e risk at \u003cb\u003eERP DMZ\u003c/b\u003e", - "synthetic_id": "missing-cloud-hardening@erp-dmz", - "most_relevant_trust_boundary": "erp-dmz", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "erp-system", - "contract-file-server", - "sql-database" - ] - }, - "missing-cloud-hardening@web-dmz": { - "category": "missing-cloud-hardening", - "severity": "elevated", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eMissing Cloud Hardening\u003c/b\u003e risk at \u003cb\u003eWeb DMZ\u003c/b\u003e", - "synthetic_id": "missing-cloud-hardening@web-dmz", - "most_relevant_trust_boundary": "web-dmz", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms" - ] - }, - "missing-file-validation@apache-webserver": { - "category": "missing-file-validation", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing File Validation\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-file-validation@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "missing-hardening@apache-webserver": { - "category": "missing-hardening", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-hardening@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "missing-hardening@erp-system": { - "category": "missing-hardening", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-hardening@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "missing-hardening@identity-provider": { - "category": "missing-hardening", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "missing-hardening@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - "missing-hardening@jenkins-build-server": { - "category": "missing-hardening", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "missing-hardening@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - "missing-hardening@ldap-auth-server": { - "category": "missing-hardening", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eLDAP Auth Server\u003c/b\u003e", - "synthetic_id": "missing-hardening@ldap-auth-server", - "most_relevant_technical_asset": "ldap-auth-server", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - "missing-hardening@sql-database": { - "category": "missing-hardening", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Hardening\u003c/b\u003e risk at \u003cb\u003eCustomer Contract Database\u003c/b\u003e", - "synthetic_id": "missing-hardening@sql-database", - "most_relevant_technical_asset": "sql-database", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - "missing-identity-propagation@apache-webserver\u003eerp-system-traffic@apache-webserver@erp-system": { - "category": "missing-identity-propagation", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing End User Identity Propagation\u003c/b\u003e over communication link \u003cb\u003eERP System Traffic\u003c/b\u003e from \u003cb\u003eApache Webserver\u003c/b\u003e to \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-identity-propagation@apache-webserver\u003eerp-system-traffic@apache-webserver@erp-system", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "missing-network-segmentation@apache-webserver": { - "category": "missing-network-segmentation", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Network Segmentation\u003c/b\u003e to further encapsulate and protect \u003cb\u003eApache Webserver\u003c/b\u003e against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers", - "synthetic_id": "missing-network-segmentation@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "missing-network-segmentation@jenkins-build-server": { - "category": "missing-network-segmentation", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Network Segmentation\u003c/b\u003e to further encapsulate and protect \u003cb\u003eJenkins Buildserver\u003c/b\u003e against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers", - "synthetic_id": "missing-network-segmentation@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - "missing-vault@erp-system": { - "category": "missing-vault", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Vault (Secret Storage)\u003c/b\u003e in the threat model (referencing asset \u003cb\u003eBackoffice ERP System\u003c/b\u003e as an example)", - "synthetic_id": "missing-vault@erp-system", - "most_relevant_technical_asset": "erp-system" - }, - "missing-waf@apache-webserver": { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "missing-waf@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "missing-waf@erp-system": { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "missing-waf@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "missing-waf@identity-provider": { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "missing-waf@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - "missing-waf@marketing-cms": { - "category": "missing-waf", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMissing Web Application Firewall (WAF)\u003c/b\u003e risk at \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "missing-waf@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "mixed-targets-on-shared-runtime@webapp-virtualization": { - "category": "mixed-targets-on-shared-runtime", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eMixed Targets on Shared Runtime\u003c/b\u003e named \u003cb\u003eWebApp and Backoffice Virtualization\u003c/b\u003e might enable attackers moving from one less valuable target to a more valuable one", - "synthetic_id": "mixed-targets-on-shared-runtime@webapp-virtualization", - "most_relevant_shared_runtime": "webapp-virtualization", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms", - "erp-system", - "contract-file-server", - "sql-database" - ] - }, - "path-traversal@erp-system@contract-file-server@erp-system\u003enfs-filesystem-access": { - "category": "path-traversal", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003ePath-Traversal\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e against filesystem \u003cb\u003eContract Fileserver\u003c/b\u003e via \u003cb\u003eNFS Filesystem Access\u003c/b\u003e", - "synthetic_id": "path-traversal@erp-system@contract-file-server@erp-system\u003enfs-filesystem-access", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003enfs-filesystem-access", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "contract-file-server" - ] - }, - "push-instead-of-pull-deployment@jenkins-build-server": { - "category": "push-instead-of-pull-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003ePush instead of Pull Deployment\u003c/b\u003e at \u003cb\u003eMarketing CMS\u003c/b\u003e via build pipeline asset \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "push-instead-of-pull-deployment@jenkins-build-server", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "jenkins-build-server\u003ecms-updates", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "server-side-request-forgery@apache-webserver@erp-system@apache-webserver\u003eerp-system-traffic": { - "category": "server-side-request-forgery", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eServer-Side Request Forgery (SSRF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e server-side web-requesting the target \u003cb\u003eBackoffice ERP System\u003c/b\u003e via \u003cb\u003eERP System Traffic\u003c/b\u003e", - "synthetic_id": "server-side-request-forgery@apache-webserver@erp-system@apache-webserver\u003eerp-system-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "apache-webserver\u003eerp-system-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms" - ] - }, - "server-side-request-forgery@apache-webserver@identity-provider@apache-webserver\u003eauth-credential-check-traffic": { - "category": "server-side-request-forgery", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eServer-Side Request Forgery (SSRF)\u003c/b\u003e risk at \u003cb\u003eApache Webserver\u003c/b\u003e server-side web-requesting the target \u003cb\u003eIdentity Provider\u003c/b\u003e via \u003cb\u003eAuth Credential Check Traffic\u003c/b\u003e", - "synthetic_id": "server-side-request-forgery@apache-webserver@identity-provider@apache-webserver\u003eauth-credential-check-traffic", - "most_relevant_technical_asset": "apache-webserver", - "most_relevant_communication_link": "apache-webserver\u003eauth-credential-check-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver", - "marketing-cms" - ] - }, - "something-strange@contract-file-server": { - "category": "something-strange", - "severity": "medium", - "exploitation_likelihood": "frequent", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eExample Individual Risk\u003c/b\u003e at \u003cb\u003eContract Filesystem\u003c/b\u003e", - "synthetic_id": "something-strange@contract-file-server", - "most_relevant_technical_asset": "contract-file-server" - }, - "something-strange@sql-database": { - "category": "something-strange", - "severity": "critical", - "exploitation_likelihood": "likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eExample Individual Risk\u003c/b\u003e at \u003cb\u003eDatabase\u003c/b\u003e", - "synthetic_id": "something-strange@sql-database", - "most_relevant_technical_asset": "sql-database", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - "sql-nosql-injection@erp-system@sql-database@erp-system\u003edatabase-traffic": { - "category": "sql-nosql-injection", - "severity": "high", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eSQL/NoSQL-Injection\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e against database \u003cb\u003eCustomer Contract Database\u003c/b\u003e via \u003cb\u003eDatabase Traffic\u003c/b\u003e", - "synthetic_id": "sql-nosql-injection@erp-system@sql-database@erp-system\u003edatabase-traffic", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003edatabase-traffic", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - "unchecked-deployment@external-dev-client": { - "category": "unchecked-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnchecked Deployment\u003c/b\u003e risk at \u003cb\u003eExternal Development Client\u003c/b\u003e", - "synthetic_id": "unchecked-deployment@external-dev-client", - "most_relevant_technical_asset": "external-dev-client", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "external-dev-client", - "git-repo", - "jenkins-build-server" - ] - }, - "unchecked-deployment@git-repo": { - "category": "unchecked-deployment", - "title": "\u003cb\u003eUnchecked Deployment\u003c/b\u003e risk at \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "unchecked-deployment@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "unchecked-deployment@jenkins-build-server": { - "category": "unchecked-deployment", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnchecked Deployment\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "unchecked-deployment@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "marketing-cms", - "jenkins-build-server", - "apache-webserver" - ] - }, - "unencrypted-asset@apache-webserver": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eApache Webserver\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@apache-webserver", - "most_relevant_technical_asset": "apache-webserver", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "unencrypted-asset@contract-file-server": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eContract Fileserver\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@contract-file-server", - "most_relevant_technical_asset": "contract-file-server", - "data_breach_technical_assets": [ - "contract-file-server" - ] - }, - "unencrypted-asset@erp-system": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eBackoffice ERP System\u003c/b\u003e missing end user individual encryption with data-with-end-user-individual-key", - "synthetic_id": "unencrypted-asset@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "unencrypted-asset@git-repo": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eGit Repository\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@git-repo", - "most_relevant_technical_asset": "git-repo", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "unencrypted-asset@identity-provider": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eIdentity Provider\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@identity-provider", - "most_relevant_technical_asset": "identity-provider", - "data_breach_technical_assets": [ - "identity-provider" - ] - }, - "unencrypted-asset@jenkins-build-server": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - "unencrypted-asset@marketing-cms": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eMarketing CMS\u003c/b\u003e", - "synthetic_id": "unencrypted-asset@marketing-cms", - "most_relevant_technical_asset": "marketing-cms", - "data_breach_technical_assets": [ - "marketing-cms" - ] - }, - "unencrypted-asset@sql-database": { - "category": "unencrypted-asset", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnencrypted Technical Asset\u003c/b\u003e named \u003cb\u003eCustomer Contract Database\u003c/b\u003e missing end user individual encryption with data-with-end-user-individual-key", - "synthetic_id": "unencrypted-asset@sql-database", - "most_relevant_technical_asset": "sql-database", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - "unencrypted-communication@erp-system\u003edatabase-traffic@erp-system@sql-database": { - "category": "unencrypted-communication", - "severity": "medium", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eDatabase Traffic\u003c/b\u003e between \u003cb\u003eBackoffice ERP System\u003c/b\u003e and \u003cb\u003eCustomer Contract Database\u003c/b\u003e transferring authentication data (like credentials, token, session-id, etc.)", - "synthetic_id": "unencrypted-communication@erp-system\u003edatabase-traffic@erp-system@sql-database", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003edatabase-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "sql-database" - ] - }, - "unencrypted-communication@erp-system\u003enfs-filesystem-access@erp-system@contract-file-server": { - "category": "unencrypted-communication", - "severity": "medium", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eNFS Filesystem Access\u003c/b\u003e between \u003cb\u003eBackoffice ERP System\u003c/b\u003e and \u003cb\u003eContract Fileserver\u003c/b\u003e", - "synthetic_id": "unencrypted-communication@erp-system\u003enfs-filesystem-access@erp-system@contract-file-server", - "most_relevant_technical_asset": "erp-system", - "most_relevant_communication_link": "erp-system\u003enfs-filesystem-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "contract-file-server" - ] - }, - "unencrypted-communication@load-balancer\u003eweb-application-traffic@load-balancer@apache-webserver": { - "category": "unencrypted-communication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eWeb Application Traffic\u003c/b\u003e between \u003cb\u003eLoad Balancer\u003c/b\u003e and \u003cb\u003eApache Webserver\u003c/b\u003e transferring authentication data (like credentials, token, session-id, etc.)", - "synthetic_id": "unencrypted-communication@load-balancer\u003eweb-application-traffic@load-balancer@apache-webserver", - "most_relevant_technical_asset": "load-balancer", - "most_relevant_communication_link": "load-balancer\u003eweb-application-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "apache-webserver" - ] - }, - "unencrypted-communication@marketing-cms\u003eauth-traffic@marketing-cms@ldap-auth-server": { - "category": "unencrypted-communication", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eUnencrypted Communication\u003c/b\u003e named \u003cb\u003eAuth Traffic\u003c/b\u003e between \u003cb\u003eMarketing CMS\u003c/b\u003e and \u003cb\u003eLDAP Auth Server\u003c/b\u003e transferring authentication data (like credentials, token, session-id, etc.)", - "synthetic_id": "unencrypted-communication@marketing-cms\u003eauth-traffic@marketing-cms@ldap-auth-server", - "most_relevant_technical_asset": "marketing-cms", - "most_relevant_communication_link": "marketing-cms\u003eauth-traffic", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "ldap-auth-server" - ] - }, - "unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client\u003egit-repo-code-write-access": { - "category": "unguarded-access-from-internet", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnguarded Access from Internet\u003c/b\u003e of \u003cb\u003eGit Repository\u003c/b\u003e by \u003cb\u003eExternal Development Client\u003c/b\u003e via \u003cb\u003eGit-Repo Code Write Access\u003c/b\u003e", - "synthetic_id": "unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client\u003egit-repo-code-write-access", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-code-write-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client\u003egit-repo-web-ui-access": { - "category": "unguarded-access-from-internet", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnguarded Access from Internet\u003c/b\u003e of \u003cb\u003eGit Repository\u003c/b\u003e by \u003cb\u003eExternal Development Client\u003c/b\u003e via \u003cb\u003eGit-Repo Web-UI Access\u003c/b\u003e", - "synthetic_id": "unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client\u003egit-repo-web-ui-access", - "most_relevant_technical_asset": "git-repo", - "most_relevant_communication_link": "external-dev-client\u003egit-repo-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "git-repo" - ] - }, - "unguarded-access-from-internet@jenkins-build-server@external-dev-client@external-dev-client\u003ejenkins-web-ui-access": { - "category": "unguarded-access-from-internet", - "severity": "elevated", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "medium", - "title": "\u003cb\u003eUnguarded Access from Internet\u003c/b\u003e of \u003cb\u003eJenkins Buildserver\u003c/b\u003e by \u003cb\u003eExternal Development Client\u003c/b\u003e via \u003cb\u003eJenkins Web-UI Access\u003c/b\u003e", - "synthetic_id": "unguarded-access-from-internet@jenkins-build-server@external-dev-client@external-dev-client\u003ejenkins-web-ui-access", - "most_relevant_technical_asset": "jenkins-build-server", - "most_relevant_communication_link": "external-dev-client\u003ejenkins-web-ui-access", - "data_breach_probability": "possible", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - "untrusted-deserialization@erp-system": { - "category": "untrusted-deserialization", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eUntrusted Deserialization\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "untrusted-deserialization@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "erp-system" - ] - }, - "untrusted-deserialization@jenkins-build-server": { - "category": "untrusted-deserialization", - "severity": "elevated", - "exploitation_likelihood": "likely", - "exploitation_impact": "very-high", - "title": "\u003cb\u003eUntrusted Deserialization\u003c/b\u003e risk at \u003cb\u003eJenkins Buildserver\u003c/b\u003e", - "synthetic_id": "untrusted-deserialization@jenkins-build-server", - "most_relevant_technical_asset": "jenkins-build-server", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "jenkins-build-server" - ] - }, - "xml-external-entity@erp-system": { - "category": "xml-external-entity", - "severity": "high", - "exploitation_likelihood": "very-likely", - "exploitation_impact": "high", - "title": "\u003cb\u003eXML External Entity (XXE)\u003c/b\u003e risk at \u003cb\u003eBackoffice ERP System\u003c/b\u003e", - "synthetic_id": "xml-external-entity@erp-system", - "most_relevant_technical_asset": "erp-system", - "data_breach_probability": "probable", - "data_breach_technical_assets": [ - "erp-system" - ] - } - } -} \ No newline at end of file diff --git a/parsed-model.yaml b/parsed-model.yaml deleted file mode 100644 index 628ae27c..00000000 --- a/parsed-model.yaml +++ /dev/null @@ -1,4331 +0,0 @@ -threagile_version: 1.0.0 -title: Some Example Application -author: - name: John Doe - homepage: www.example.com -date: "2020-07-01" -business_overview: - description: Some more demo text here and even images... -technical_overview: - description: Some more demo text here and even images... -business_criticality: important -management_summary_comment: | - Just some more custom summary possible here... -security_requirements: - EU-DSGVO: Mandatory EU-Datenschutzgrundverordnung - Input Validation: Strict input validation is required to reduce the overall attack surface. - Securing Administrative Access: Administrative access must be secured with strong encryption and multi-factor authentication. -questions: - How are the admin clients managed/protected against compromise?: "" - How are the build pipeline components managed/protected against compromise?: | - Managed by XYZ - How are the development clients managed/protected against compromise?: | - Managed by XYZ -abuse_cases: - CPU-Cycle Theft: | - As a hacker I want to steal CPU cycles in order to transform them into money via installed crypto currency miners. - Contract Filesystem Compromise: | - As a hacker I want to access the filesystem storing the contract PDFs in order to steal/modify contract data. - Cross-Site Scripting Attacks: | - As a hacker I want to execute Cross-Site Scripting (XSS) and similar attacks in order to takeover victim sessions and cause reputational damage. - Database Compromise: | - As a hacker I want to access the database backend of the ERP-System in order to steal/modify sensitive business data. - Denial-of-Service: | - As a hacker I want to disturb the functionality of the backend system in order to cause indirect financial damage via unusable features. - Denial-of-Service of ERP/DB Functionality: | - As a hacker I want to disturb the functionality of the ERP system and/or it's database in order to cause indirect financial damage via unusable internal ERP features (not related to customer portal). - Denial-of-Service of End-User Functionality: | - As a hacker I want to disturb the functionality of the end-user parts of the application in order to cause direct financial damage (lower sales). - ERP-System Compromise: | - As a hacker I want to access the ERP-System in order to steal/modify sensitive business data. - Identity Theft: | - As a hacker I want to steal identity data in order to reuse credentials and/or keys on other targets of the same company or outside. - PII Theft: | - As a hacker I want to steal PII (Personally Identifiable Information) data in order to blackmail the company and/or damage their repudiation by publishing them. - Ransomware: | - As a hacker I want to encrypt the storage and file systems in order to demand ransom. -tags_available: - - linux - - apache - - mysql - - jboss - - keycloak - - jenkins - - git - - oracle - - some-erp - - vmware - - aws - - aws:ec2 - - aws:s3 -data_assets: - build-job-config: - id: build-job-config - title: Build Job Config - description: Data for customizing of the build job system. - usage: devops - origin: Company XYZ - owner: Company XYZ - confidentiality: restricted - integrity: critical - availability: operational - justification_cia_rating: | - Data for customizing of the build job system. - client-application-code: - id: client-application-code - title: Client Application Code - description: Angular and other client-side code delivered by the application. - usage: devops - origin: Company ABC - owner: Company ABC - integrity: critical - availability: important - justification_cia_rating: | - The integrity of the public data is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to keep the growth rate of the customer base steady. - contract-summaries: - id: contract-summaries - title: Customer Contract Summaries - description: Customer Contract Summaries - origin: Customer - owner: Company XYZ - confidentiality: restricted - integrity: operational - availability: operational - justification_cia_rating: | - Just some summaries. - customer-accounts: - id: customer-accounts - title: Customer Accounts - description: Customer Accounts (including transient credentials when entered for checking them) - origin: Customer - owner: Company XYZ - quantity: many - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - Customer account data for using the portal are required to be available to offer the portal functionality. - customer-contracts: - id: customer-contracts - title: Customer Contracts - description: Customer Contracts (PDF) - origin: Customer - owner: Company XYZ - quantity: many - confidentiality: confidential - integrity: critical - availability: operational - justification_cia_rating: | - Contract data might contain financial data as well as personally identifiable information (PII). The integrity and availability of contract data is required for clearing payment disputes. - customer-operational-data: - id: customer-operational-data - title: Customer Operational Data - description: Customer Operational Data - origin: Customer - owner: Company XYZ - quantity: many - confidentiality: confidential - integrity: critical - availability: critical - justification_cia_rating: | - Customer operational data for using the portal are required to be available to offer the portal functionality and are used in the backend transactions. - db-dumps: - id: db-dumps - title: Database Customizing and Dumps - description: Data for customizing of the DB system, which might include full database dumps. - usage: devops - tags: - - oracle - origin: Company XYZ - owner: Company XYZ - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - Data for customizing of the DB system, which might include full database dumps. - erp-customizing: - id: erp-customizing - title: ERP Customizing Data - description: Data for customizing of the ERP system. - usage: devops - origin: Company XYZ - owner: Company XYZ - confidentiality: confidential - integrity: critical - availability: critical - justification_cia_rating: | - Data for customizing of the ERP system. - erp-logs: - id: erp-logs - title: ERP Logs - description: Logs generated by the ERP system. - usage: devops - origin: Company XYZ - owner: Company XYZ - quantity: many - confidentiality: restricted - justification_cia_rating: | - Logs should not contain PII data and are only required for failure analysis, i.e. they are not considered as hard transactional logs. - internal-business-data: - id: internal-business-data - title: Some Internal Business Data - description: Internal business data of the ERP system used unrelated to the customer-facing processes. - origin: Company XYZ - owner: Company XYZ - quantity: few - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - Data used and/or generated during unrelated other usecases of the ERP-system (when used also by Company XYZ for internal non-customer-portal-related stuff). - marketing-material: - id: marketing-material - title: Marketing Material - description: Website and marketing data to inform potential customers and generate new leads. - usage: devops - origin: Company ABC - owner: Company ABC - integrity: important - availability: important - justification_cia_rating: | - The integrity of the public data is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to keep the growth rate of the customer base steady. - server-application-code: - id: server-application-code - title: Server Application Code - description: API and other server-side code of the application. - usage: devops - origin: Company ABC - owner: Company ABC - confidentiality: internal - integrity: mission-critical - availability: important - justification_cia_rating: | - The integrity of the API code is critical to avoid reputational damage and the availability is important on the long-term scale (but not critical) to keep the growth rate of the customer base steady. -technical_assets: - apache-webserver: - id: apache-webserver - title: Apache Webserver - description: Apache Webserver hosting the API code and client-side code - type: process - size: application - technology: web-server - machine: container - custom_developed_parts: true - owner: Company ABC - confidentiality: strictly-confidential - integrity: mission-critical - availability: critical - justification_cia_rating: | - The correct configuration and reachability of the web server is mandatory for all customer usages of the portal. - tags: - - linux - - apache - - aws:ec2 - data_assets_processed: - - client-application-code - - server-application-code - - customer-accounts - - customer-operational-data - - customer-contracts - - internal-business-data - data_assets_stored: - - client-application-code - - server-application-code - data_formats_accepted: - - json - - file - communication_links: - - id: apache-webserver>erp-system-traffic - source_id: apache-webserver - target_id: erp-system - title: ERP System Traffic - description: Link to the ERP system - protocol: https - authentication: token - authorization: technical-user - data_assets_sent: - - customer-accounts - - customer-operational-data - - internal-business-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: apache-webserver>auth-credential-check-traffic - source_id: apache-webserver - target_id: identity-provider - title: Auth Credential Check Traffic - description: Link to the identity provider server - protocol: https - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 60.6120919375654 - backend-admin-client: - id: backend-admin-client - title: Backend Admin Client - description: Backend admin client - usage: devops - size: component - technology: browser - out_of_scope: true - used_as_client_by_human: true - justification_out_of_scope: Owned and managed by ops provider - owner: Company XYZ - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - The client used by Company XYZ to administer the system. - data_assets_processed: - - erp-logs - - erp-customizing - - db-dumps - - customer-accounts - - customer-operational-data - communication_links: - - id: backend-admin-client>erp-web-access - source_id: backend-admin-client - target_id: erp-system - title: ERP Web Access - description: Link to the ERP system (Web) - protocol: https - authentication: token - authorization: technical-user - usage: devops - data_assets_sent: - - erp-customizing - data_assets_received: - - erp-logs - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backend-admin-client>db-update-access - source_id: backend-admin-client - target_id: sql-database - title: DB Update Access - description: Link to the database (JDBC tunneled via SSH) - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - db-dumps - data_assets_received: - - db-dumps - - erp-logs - - customer-accounts - - customer-operational-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backend-admin-client>user-management-access - source_id: backend-admin-client - target_id: ldap-auth-server - title: User Management Access - description: Link to the LDAP auth server for managing users - protocol: ldaps - authentication: credentials - authorization: technical-user - usage: devops - data_assets_sent: - - customer-accounts - data_assets_received: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 1 - backoffice-client: - id: backoffice-client - title: Backoffice Client - description: Backoffice client - size: component - technology: desktop - out_of_scope: true - used_as_client_by_human: true - justification_out_of_scope: Owned and managed by Company XYZ company - owner: Company XYZ - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - The client used by Company XYZ to administer and use the system. - data_assets_processed: - - customer-contracts - - internal-business-data - - erp-logs - - marketing-material - communication_links: - - id: backoffice-client>marketing-cms-editing - source_id: backoffice-client - target_id: marketing-cms - title: Marketing CMS Editing - description: Link to the CMS for editing content - protocol: https - vpn: true - authentication: token - authorization: end-user-identity-propagation - data_assets_sent: - - marketing-material - data_assets_received: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backoffice-client>erp-internal-access - source_id: backoffice-client - target_id: erp-system - title: ERP Internal Access - description: Link to the ERP system - protocol: https - tags: - - some-erp - vpn: true - authentication: token - authorization: end-user-identity-propagation - data_assets_sent: - - internal-business-data - data_assets_received: - - customer-contracts - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 1 - contract-file-server: - id: contract-file-server - title: Contract Fileserver - description: NFS Filesystem for storing the contract PDFs - type: datastore - size: component - technology: file-server - machine: virtual - owner: Company ABC - confidentiality: confidential - integrity: critical - availability: important - justification_cia_rating: | - Contract data might contain financial data as well as personally identifiable information (PII). The integrity and availability of contract data is required for clearing payment disputes. The filesystem is also required to be available for storing new contracts of freshly generated customers. - tags: - - linux - - aws:s3 - data_assets_processed: - - customer-contracts - - contract-summaries - data_assets_stored: - - customer-contracts - - contract-summaries - data_formats_accepted: - - file - raa: 33.2657200811359 - customer-client: - id: customer-client - title: Customer Web Client - description: Customer Web Client - size: component - technology: browser - internet: true - out_of_scope: true - used_as_client_by_human: true - justification_out_of_scope: Owned and managed by end-user customer - owner: Customer - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - The client used by the customer to access the system. - data_assets_processed: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - - marketing-material - communication_links: - - id: customer-client>customer-traffic - source_id: customer-client - target_id: load-balancer - title: Customer Traffic - description: Link to the load balancer - protocol: https - authentication: session-id - authorization: end-user-identity-propagation - data_assets_sent: - - customer-accounts - - customer-operational-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 1 - erp-system: - id: erp-system - title: Backoffice ERP System - description: ERP system - type: process - technology: erp - machine: virtual - redundant: true - owner: Company ABC - confidentiality: strictly-confidential - integrity: mission-critical - availability: mission-critical - justification_cia_rating: | - The ERP system contains business-relevant sensitive data for the leasing processes and eventually also for other Company XYZ internal processes. - tags: - - linux - data_assets_processed: - - erp-logs - - customer-accounts - - customer-operational-data - - customer-contracts - - internal-business-data - - erp-customizing - data_assets_stored: - - erp-logs - data_formats_accepted: - - xml - - file - - serialization - communication_links: - - id: erp-system>database-traffic - source_id: erp-system - target_id: sql-database - title: Database Traffic - description: Link to the DB system - protocol: jdbc - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - - customer-operational-data - - internal-business-data - data_assets_received: - - customer-accounts - - customer-operational-data - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: erp-system>nfs-filesystem-access - source_id: erp-system - target_id: contract-file-server - title: NFS Filesystem Access - description: Link to the file system - protocol: nfs - data_assets_sent: - - customer-contracts - data_assets_received: - - customer-contracts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 62.062039616154216 - external-dev-client: - id: external-dev-client - title: External Development Client - description: External developer client - usage: devops - technology: devops-client - internet: true - multi_tenant: true - out_of_scope: true - used_as_client_by_human: true - justification_out_of_scope: Owned and managed by external developers - owner: External Developers - confidentiality: confidential - integrity: mission-critical - availability: important - justification_cia_rating: | - The clients used by external developers to create parts of the application code. - tags: - - linux - data_assets_processed: - - client-application-code - - server-application-code - - build-job-config - data_assets_stored: - - client-application-code - - server-application-code - data_formats_accepted: - - file - communication_links: - - id: external-dev-client>git-repo-code-write-access - source_id: external-dev-client - target_id: git-repo - title: Git-Repo Code Write Access - description: Link to the Git repo - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: external-dev-client>git-repo-web-ui-access - source_id: external-dev-client - target_id: git-repo - title: Git-Repo Web-UI Access - description: Link to the Git repo - protocol: https - authentication: token - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: external-dev-client>jenkins-web-ui-access - source_id: external-dev-client - target_id: jenkins-build-server - title: Jenkins Web-UI Access - description: Link to the Jenkins build server - protocol: https - authentication: credentials - authorization: technical-user - usage: devops - data_assets_sent: - - build-job-config - data_assets_received: - - build-job-config - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 1 - git-repo: - id: git-repo - title: Git Repository - description: Git repository server - usage: devops - type: process - technology: sourcecode-repository - machine: virtual - multi_tenant: true - owner: Company ABC - confidentiality: confidential - integrity: mission-critical - availability: important - justification_cia_rating: | - The code repo pipeline might contain sensitive configuration values like backend credentials, certificates etc. and is therefore rated as confidential. - tags: - - linux - - git - data_assets_processed: - - client-application-code - - server-application-code - data_assets_stored: - - client-application-code - - server-application-code - data_formats_accepted: - - file - raa: 31.49087221095335 - identity-provider: - id: identity-provider - title: Identity Provider - description: Identity provider server - type: process - size: component - technology: identity-provider - machine: virtual - owner: Company ABC - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - The auth data of the application - tags: - - linux - - jboss - - keycloak - data_assets_processed: - - customer-accounts - communication_links: - - id: identity-provider>ldap-credential-check-traffic - source_id: identity-provider - target_id: ldap-auth-server - title: LDAP Credential Check Traffic - description: Link to the LDAP server - protocol: ldaps - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 40.999362954246536 - jenkins-build-server: - id: jenkins-build-server - title: Jenkins Buildserver - description: Jenkins build-server - usage: devops - type: process - technology: build-pipeline - machine: virtual - multi_tenant: true - owner: Company ABC - confidentiality: confidential - integrity: mission-critical - availability: important - justification_cia_rating: | - The build pipeline might contain sensitive configuration values like backend credentials, certificates etc. and is therefore rated as confidential. The integrity and availability is rated as critical and important due to the risk of reputation damage and application update unavailability when the build pipeline is compromised. - tags: - - linux - - jenkins - data_assets_processed: - - build-job-config - - client-application-code - - server-application-code - - marketing-material - data_assets_stored: - - build-job-config - - client-application-code - - server-application-code - - marketing-material - data_formats_accepted: - - file - - serialization - communication_links: - - id: jenkins-build-server>git-repo-code-read-access - source_id: jenkins-build-server - target_id: git-repo - title: Git Repo Code Read Access - description: Link to the Git repository server - protocol: ssh - readonly: true - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: jenkins-build-server>application-deployment - source_id: jenkins-build-server - target_id: apache-webserver - title: Application Deployment - description: Link to the Apache webserver - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: jenkins-build-server>cms-updates - source_id: jenkins-build-server - target_id: marketing-cms - title: CMS Updates - description: Link to the CMS - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 60.099849550227866 - ldap-auth-server: - id: ldap-auth-server - title: LDAP Auth Server - description: LDAP authentication server - type: datastore - size: component - technology: identity-store-ldap - encryption: transparent - owner: Company ABC - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - The auth data of the application - tags: - - linux - data_assets_processed: - - customer-accounts - data_assets_stored: - - customer-accounts - raa: 51.34381338742393 - load-balancer: - id: load-balancer - title: Load Balancer - description: Load Balancer (HA-Proxy) - type: process - size: component - technology: load-balancer - owner: Company ABC - confidentiality: strictly-confidential - integrity: mission-critical - availability: mission-critical - justification_cia_rating: | - The correct configuration and reachability of the load balancer is mandatory for all customer and Company XYZ usages of the portal and ERP system. - data_assets_processed: - - customer-accounts - - customer-operational-data - - customer-contracts - - internal-business-data - - client-application-code - - marketing-material - communication_links: - - id: load-balancer>web-application-traffic - source_id: load-balancer - target_id: apache-webserver - title: Web Application Traffic - description: Link to the web server - protocol: http - authentication: session-id - authorization: end-user-identity-propagation - data_assets_sent: - - customer-accounts - - customer-operational-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: load-balancer>cms-content-traffic - source_id: load-balancer - target_id: marketing-cms - title: CMS Content Traffic - description: Link to the CMS server - protocol: http - readonly: true - data_assets_received: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 9.952491809545325 - marketing-cms: - id: marketing-cms - title: Marketing CMS - description: CMS for the marketing content - type: process - size: application - technology: cms - machine: container - custom_developed_parts: true - owner: Company ABC - confidentiality: strictly-confidential - integrity: critical - availability: critical - justification_cia_rating: | - The correct configuration and reachability of the web server is mandatory for all customer usages of the portal. - tags: - - linux - data_assets_processed: - - marketing-material - - customer-accounts - data_assets_stored: - - marketing-material - communication_links: - - id: marketing-cms>auth-traffic - source_id: marketing-cms - target_id: ldap-auth-server - title: Auth Traffic - description: Link to the LDAP auth server - protocol: ldap - readonly: true - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - data_assets_received: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - raa: 22.55383688062901 - sql-database: - id: sql-database - title: Customer Contract Database - description: The database behind the ERP system - type: datastore - size: component - technology: database - machine: virtual - encryption: data-with-symmetric-shared-key - owner: Company ABC - confidentiality: strictly-confidential - integrity: mission-critical - availability: mission-critical - justification_cia_rating: | - The ERP system's database contains business-relevant sensitive data for the leasing processes and eventually also for other Company XYZ internal processes. - tags: - - linux - - mysql - data_assets_processed: - - customer-accounts - - customer-operational-data - - internal-business-data - - db-dumps - - erp-logs - data_assets_stored: - - customer-accounts - - customer-operational-data - - internal-business-data - raa: 100 -trust_boundaries: - application-network: - id: application-network - title: Application Network - description: Application Network - type: network-cloud-provider - tags: - - aws - technical_assets_inside: - - load-balancer - trust_boundaries_nested: - - web-dmz - - erp-dmz - - auth-env - auth-env: - id: auth-env - title: Auth Handling Environment - description: Auth Handling Environment - type: execution-environment - technical_assets_inside: - - identity-provider - - ldap-auth-server - dev-network: - id: dev-network - title: Dev Network - description: Development Network - technical_assets_inside: - - jenkins-build-server - - git-repo - - backend-admin-client - - backoffice-client - erp-dmz: - id: erp-dmz - title: ERP DMZ - description: ERP DMZ - type: network-cloud-security-group - tags: - - some-erp - technical_assets_inside: - - erp-system - - contract-file-server - - sql-database - web-dmz: - id: web-dmz - title: Web DMZ - description: Web DMZ - type: network-cloud-security-group - technical_assets_inside: - - apache-webserver - - marketing-cms -shared_runtimes: - webapp-virtualization: - id: webapp-virtualization - title: WebApp and Backoffice Virtualization - description: WebApp Virtualization - tags: - - vmware - technical_assets_running: - - apache-webserver - - marketing-cms - - erp-system - - contract-file-server - - sql-database -individual_risk_categories: - something-strange: - id: something-strange - title: Some Individual Risk Example - description: Some text describing the risk category... - impact: Some text describing the impact... - asvs: V0 - Something Strange - cheat_sheet: https://example.com - action: Some text describing the action... - mitigation: Some text describing the mitigation... - check: Check if XYZ... - detection_logic: Some text describing the detection logic... - risk_assessment: Some text describing the risk assessment... - false_positives: Some text describing the most common types of false positives... - stride: repudiation - cwe: 693 -built_in_risk_categories: - accidental-secret-leak: - id: accidental-secret-leak - title: Accidental Secret Leak - description: Sourcecode repositories (including their histories) as well as artifact registries can accidentally contain secrets like checked-in or packaged-in passwords, API tokens, certificates, crypto keys, etc. - impact: If this risk is unmitigated, attackers which have access to affected sourcecode repositories or artifact registries might find secrets accidentally checked-in. - asvs: V14 - Configuration Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Build Pipeline Hardening - mitigation: Establish measures preventing accidental check-in or package-in of secrets into sourcecode repositories and artifact registries. This starts by using good .gitignore and .dockerignore files, but does not stop there. See for example tools like "git-secrets" or "Talisman" to have check-in preventive measures for secrets. Consider also to regularly scan your repositories for secrets accidentally checked-in using scanning tools like "gitleaks" or "gitrob". - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope sourcecode repositories and artifact registries. - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Usually no false positives. - function: operations - stride: information-disclosure - cwe: 200 - code-backdooring: - id: code-backdooring - title: Code Backdooring - description: For each build-pipeline component Code Backdooring risks might arise where attackers compromise the build-pipeline in order to let backdoored artifacts be shipped into production. Aside from direct code backdooring this includes backdooring of dependencies and even of more lower-level build infrastructure, like backdooring compilers (similar to what the XcodeGhost malware did) or dependencies. - impact: If this risk remains unmitigated, attackers might be able to execute code on and completely takeover production environments. - asvs: V10 - Malicious Code Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html - action: Build Pipeline Hardening - mitigation: Reduce the attack surface of backdooring the build pipeline by not directly exposing the build pipeline components on the public internet and also not exposing it in front of unmanaged (out-of-scope) developer clients.Also consider the use of code signing to prevent code modifications. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope development relevant technical assets which are either accessed by out-of-scope unmanaged developer clients and/or are directly accessed by any kind of internet-located (non-VPN) component or are themselves directly located on the internet. - risk_assessment: The risk rating depends on the confidentiality and integrity rating of the code being handled and deployed as well as the placement/calling of this technical asset on/from the internet. - false_positives: When the build-pipeline and sourcecode-repo is not exposed to the internet and considered fully trusted (which implies that all accessing clients are also considered fully trusted in terms of their patch management and applied hardening, which must be equivalent to a managed developer client environment) this can be considered a false positive after individual review. - function: operations - stride: tampering - cwe: 912 - container-baseimage-backdooring: - id: container-baseimage-backdooring - title: Container Base Image Backdooring - description: 'When a technical asset is built using container technologies, Base Image Backdooring risks might arise where base images and other layers used contain vulnerable components or backdoors.

See for example: https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/' - impact: If this risk is unmitigated, attackers might be able to deeply persist in the target system by executing code in deployed containers. - asvs: V10 - Malicious Code Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html - action: Container Infrastructure Hardening - mitigation: Apply hardening of all container infrastructures (see for example the CIS-Benchmarks for Docker and Kubernetes and the Docker Bench for Security). Use only trusted base images of the original vendors, verify digital signatures and apply image creation best practices. Also consider using Google's Distroless base images or otherwise very small base images. Regularly execute container image scans with tools checking the layers for vulnerable components. - check: Are recommendations from the linked cheat sheet and referenced ASVS/CSVS applied? - detection_logic: In-scope technical assets running as containers. - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets. - false_positives: Fully trusted (i.e. reviewed and cryptographically signed or similar) base images of containers can be considered as false positives after individual review. - function: operations - stride: tampering - cwe: 912 - container-platform-escape: - id: container-platform-escape - title: Container Platform Escape - description: Container platforms are especially interesting targets for attackers as they host big parts of a containerized runtime infrastructure. When not configured and operated with security best practices in mind, attackers might exploit a vulnerability inside an container and escape towards the platform as highly privileged users. These scenarios might give attackers capabilities to attack every other container as owning the container platform (via container escape attacks) equals to owning every container. - impact: If this risk is unmitigated, attackers which have successfully compromised a container (via other vulnerabilities) might be able to deeply persist in the target system by executing code in many deployed containers and the container platform itself. - asvs: V14 - Configuration Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html - action: Container Infrastructure Hardening - mitigation: Apply hardening of all container infrastructures.

See for example the CIS-Benchmarks for Docker and Kubernetes as well as the Docker Bench for Security ( https://github.com/docker/docker-bench-security ) or InSpec Checks for Docker and Kubernetes ( https://github.com/dev-sec/cis-docker-benchmark and https://github.com/dev-sec/cis-kubernetes-benchmark ). Use only trusted base images, verify digital signatures and apply image creation best practices. Also consider using Google's Distroless base images or otherwise very small base images. Apply namespace isolation and nod affinity to separate pods from each other in terms of access and nodes the same style as you separate data. - check: Are recommendations from the linked cheat sheet and referenced ASVS or CSVS chapter applied? - detection_logic: In-scope container platforms. - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Container platforms not running parts of the target architecture can be considered as false positives after individual review. - function: operations - stride: elevation-of-privilege - cwe: 1008 - cross-site-request-forgery: - id: cross-site-request-forgery - title: Cross-Site Request Forgery (CSRF) - description: When a web application is accessed via web protocols Cross-Site Request Forgery (CSRF) risks might arise. - impact: If this risk remains unmitigated, attackers might be able to trick logged-in victim users into unwanted actions within the web application by visiting an attacker controlled web site. - asvs: V4 - Access Control Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html - action: CSRF Prevention - mitigation: Try to use anti-CSRF tokens ot the double-submit patterns (at least for logged-in requests). When your authentication scheme depends on cookies (like session or token cookies), consider marking them with the same-site flag. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope web applications accessed via typical web access protocols. - risk_assessment: The risk rating depends on the integrity rating of the data sent across the communication link. - false_positives: Web applications passing the authentication sate via custom headers instead of cookies can eventually be false positives. Also when the web application is not accessed via a browser-like component (i.e not by a human user initiating the request that gets passed through all components until it reaches the web application) this can be considered a false positive. - function: development - cwe: 352 - cross-site-scripting: - id: cross-site-scripting - title: Cross-Site Scripting (XSS) - description: For each web application Cross-Site Scripting (XSS) risks might arise. In terms of the overall risk level take other applications running on the same domain into account as well. - impact: If this risk remains unmitigated, attackers might be able to access individual victim sessions and steal or modify user data. - asvs: V5 - Validation, Sanitization and Encoding Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - action: XSS Prevention - mitigation: Try to encode all values sent back to the browser and also handle DOM-manipulations in a safe way to avoid DOM-based XSS. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope web applications. - risk_assessment: The risk rating depends on the sensitivity of the data processed in the web application. - false_positives: When the technical asset is not accessed via a browser-like component (i.e not by a human user initiating the request that gets passed through all components until it reaches the web application) this can be considered a false positive. - function: development - stride: tampering - cwe: 79 - dos-risky-access-across-trust-boundary: - id: dos-risky-access-across-trust-boundary - title: DoS-risky Access Across Trust-Boundary - description: Assets accessed across trust boundaries with critical or mission-critical availability rating are more prone to Denial-of-Service (DoS) risks. - impact: If this risk remains unmitigated, attackers might be able to disturb the availability of important parts of the system. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html - action: Anti-DoS Measures - mitigation: Apply anti-DoS techniques like throttling and/or per-client load blocking with quotas. Also for maintenance access routes consider applying a VPN instead of public reachable interfaces. Generally applying redundancy on the targeted technical asset reduces the risk of DoS. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets (excluding load-balancer) with availability rating of critical or higher which have incoming data-flows across a network trust-boundary (excluding devops usage). - risk_assessment: Matching technical assets with availability rating of critical or higher are at low risk. When the availability rating is mission-critical and neither a VPN nor IP filter for the incoming data-flow nor redundancy for the asset is applied, the risk-rating is considered medium. - false_positives: When the accessed target operations are not time- or resource-consuming. - function: operations - stride: denial-of-service - cwe: 400 - incomplete-model: - id: incomplete-model - title: Incomplete Model - description: When the threat model contains unknown technologies or transfers data over unknown protocols, this is an indicator for an incomplete model. - impact: If this risk is unmitigated, other risks might not be noticed as the model is incomplete. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html - action: Threat Modeling Completeness - mitigation: Try to find out what technology or protocol is used instead of specifying that it is unknown. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: All technical assets and communication links with technology type or protocol type specified as unknown. - risk_assessment: low - false_positives: Usually no false positives as this looks like an incomplete model. - function: architecture - stride: information-disclosure - model_failure_possible_reason: true - cwe: 1008 - ldap-injection: - id: ldap-injection - title: LDAP-Injection - description: When an LDAP server is accessed LDAP-Injection risks might arise. The risk rating depends on the sensitivity of the LDAP server itself and of the data assets processed. - impact: If this risk remains unmitigated, attackers might be able to modify LDAP queries and access more data from the LDAP server than allowed. - asvs: V5 - Validation, Sanitization and Encoding Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html - action: LDAP-Injection Prevention - mitigation: Try to use libraries that properly encode LDAP meta characters in searches and queries to access the LDAP sever in order to stay safe from LDAP-Injection vulnerabilities. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope clients accessing LDAP servers via typical LDAP access protocols. - risk_assessment: The risk rating depends on the sensitivity of the LDAP server itself and of the data assets processed. - false_positives: LDAP server queries by search values not consisting of parts controllable by the caller can be considered as false positives after individual review. - function: development - stride: tampering - cwe: 90 - missing-authentication: - id: missing-authentication - title: Missing Authentication - description: 'Technical assets (especially multi-tenant systems) should authenticate incoming requests when the asset processes sensitive data. ' - impact: If this risk is unmitigated, attackers might be able to access or modify sensitive data in an unauthenticated way. - asvs: V2 - Authentication Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html - action: Authentication of Incoming Requests - mitigation: Apply an authentication method to the technical asset. To protect highly sensitive data consider the use of two-factor authentication for human users. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets (except load-balancer, reverse-proxy, service-registry, waf, ids, and ips and in-process calls) should authenticate incoming requests when the asset processes sensitive data. This is especially the case for all multi-tenant assets (there even non-sensitive ones). - risk_assessment: The risk rating (medium or high) depends on the sensitivity of the data sent across the communication link. Monitoring callers are exempted from this risk. - false_positives: Technical assets which do not process requests regarding functionality or data linked to end-users (customers) can be considered as false positives after individual review. - function: architecture - stride: elevation-of-privilege - cwe: 306 - missing-authentication-second-factor: - id: missing-authentication-second-factor - title: Missing Two-Factor Authentication (2FA) - description: Technical assets (especially multi-tenant systems) should authenticate incoming requests with two-factor (2FA) authentication when the asset processes or stores highly sensitive data (in terms of confidentiality, integrity, and availability) and is accessed by humans. - impact: If this risk is unmitigated, attackers might be able to access or modify highly sensitive data without strong authentication. - asvs: V2 - Authentication Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html - action: Authentication with Second Factor (2FA) - mitigation: Apply an authentication method to the technical asset protecting highly sensitive data via two-factor authentication for human users. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets (except load-balancer, reverse-proxy, waf, ids, and ips) should authenticate incoming requests via two-factor authentication (2FA) when the asset processes or stores highly sensitive data (in terms of confidentiality, integrity, and availability) and is accessed by a client used by a human user. - risk_assessment: medium - false_positives: Technical assets which do not process requests regarding functionality or data linked to end-users (customers) can be considered as false positives after individual review. - stride: elevation-of-privilege - cwe: 308 - missing-build-infrastructure: - id: missing-build-infrastructure - title: Missing Build Infrastructure - description: The modeled architecture does not contain a build infrastructure (devops-client, sourcecode-repo, build-pipeline, etc.), which might be the risk of a model missing critical assets (and thus not seeing their risks). If the architecture contains custom-developed parts, the pipeline where code gets developed and built needs to be part of the model. - impact: If this risk is unmitigated, attackers might be able to exploit risks unseen in this threat model due to critical build infrastructure components missing in the model. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Build Pipeline Hardening - mitigation: Include the build infrastructure in the model. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Models with in-scope custom-developed parts missing in-scope development (code creation) and build infrastructure components (devops-client, sourcecode-repo, build-pipeline, etc.). - risk_assessment: The risk rating depends on the highest sensitivity of the in-scope assets running custom-developed parts. - false_positives: Models not having any custom-developed parts can be considered as false positives after individual review. - function: architecture - stride: tampering - model_failure_possible_reason: true - cwe: 1127 - missing-cloud-hardening: - id: missing-cloud-hardening - title: Missing Cloud Hardening - description: Cloud components should be hardened according to the cloud vendor best practices. This affects their configuration, auditing, and further areas. - impact: If this risk is unmitigated, attackers might access cloud components in an unintended way. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Cloud Hardening - mitigation: 'Apply hardening of all cloud components and services, taking special care to follow the individual risk descriptions (which depend on the cloud provider tags in the model).

For Amazon Web Services (AWS): Follow the CIS Benchmark for Amazon Web Services (see also the automated checks of cloud audit tools like "PacBot", "CloudSploit", "CloudMapper", "ScoutSuite", or "Prowler AWS CIS Benchmark Tool").
For EC2 and other servers running Amazon Linux, follow the CIS Benchmark for Amazon Linux and switch to IMDSv2.
For S3 buckets follow the Security Best Practices for Amazon S3 at https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html to avoid accidental leakage.
Also take a look at some of these tools: https://github.com/toniblyx/my-arsenal-of-aws-security-tools

For Microsoft Azure: Follow the CIS Benchmark for Microsoft Azure (see also the automated checks of cloud audit tools like "CloudSploit" or "ScoutSuite").

For Google Cloud Platform: Follow the CIS Benchmark for Google Cloud Computing Platform (see also the automated checks of cloud audit tools like "CloudSploit" or "ScoutSuite").

For Oracle Cloud Platform: Follow the hardening best practices (see also the automated checks of cloud audit tools like "CloudSploit").' - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope cloud components (either residing in cloud trust boundaries or more specifically tagged with cloud provider types). - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Cloud components not running parts of the target architecture can be considered as false positives after individual review. - function: operations - stride: tampering - cwe: 1008 - missing-file-validation: - id: missing-file-validation - title: Missing File Validation - description: When a technical asset accepts files, these input files should be strictly validated about filename and type. - impact: If this risk is unmitigated, attackers might be able to provide malicious files to the application. - asvs: V12 - File and Resources Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html - action: File Validation - mitigation: Filter by file extension and discard (if feasible) the name provided. Whitelist the accepted file types and determine the mime-type on the server-side (for example via "Apache Tika" or similar checks). If the file is retrievable by end users and/or backoffice employees, consider performing scans for popular malware (if the files can be retrieved much later than they were uploaded, also apply a fresh malware scan during retrieval to scan with newer signatures of popular malware). Also enforce limits on maximum file size to avoid denial-of-service like scenarios. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets with custom-developed code accepting file data formats. - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Fully trusted (i.e. cryptographically signed or similar) files can be considered as false positives after individual review. - function: development - cwe: 434 - missing-hardening: - id: missing-hardening - title: Missing Hardening - description: Technical assets with a Relative Attacker Attractiveness (RAA) value of 55 % or higher should be explicitly hardened taking best practices and vendor hardening guides into account. - impact: If this risk remains unmitigated, attackers might be able to easier attack high-value targets. - asvs: V14 - Configuration Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: System Hardening - mitigation: Try to apply all hardening best practices (like CIS benchmarks, OWASP recommendations, vendor recommendations, DevSec Hardening Framework, DBSAT for Oracle databases, and others). - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets with RAA values of 55 % or higher. Generally for high-value targets like data stores, application servers, identity providers and ERP systems this limit is reduced to 40 % - risk_assessment: The risk rating depends on the sensitivity of the data processed in the technical asset. - false_positives: Usually no false positives. - function: operations - stride: tampering - cwe: 16 - missing-identity-propagation: - id: missing-identity-propagation - title: Missing Identity Propagation - description: Technical assets (especially multi-tenant systems), which usually process data for end users should authorize every request based on the identity of the end user when the data flow is authenticated (i.e. non-public). For DevOps usages at least a technical-user authorization is required. - impact: If this risk is unmitigated, attackers might be able to access or modify foreign data after a successful compromise of a component within the system due to missing resource-based authorization checks. - asvs: V4 - Access Control Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html - action: Identity Propagation and Resource-based Authorization - mitigation: When processing requests for end users if possible authorize in the backend against the propagated identity of the end user. This can be achieved in passing JWTs or similar tokens and checking them in the backend services. For DevOps usages apply at least a technical-user authorization. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope service-like technical assets which usually process data based on end user requests, if authenticated (i.e. non-public), should authorize incoming requests based on the propagated end user identity when their rating is sensitive. This is especially the case for all multi-tenant assets (there even less-sensitive rated ones). DevOps usages are exempted from this risk. - risk_assessment: The risk rating (medium or high) depends on the confidentiality, integrity, and availability rating of the technical asset. - false_positives: Technical assets which do not process requests regarding functionality or data linked to end-users (customers) can be considered as false positives after individual review. - function: architecture - stride: elevation-of-privilege - cwe: 284 - missing-identity-provider-isolation: - id: missing-identity-provider-isolation - title: Missing Identity Provider Isolation - description: Highly sensitive identity provider assets and their identity data stores should be isolated from other assets by their own network segmentation trust-boundary (execution-environment boundaries do not count as network isolation). - impact: If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards highly sensitive identity provider assets and their identity data stores, as they are not separated by network segmentation. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Network Segmentation - mitigation: Apply a network segmentation trust-boundary around the highly sensitive identity provider assets and their identity data stores. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope identity provider assets and their identity data stores when surrounded by other (not identity-related) assets (without a network trust-boundary in-between). This risk is especially prevalent when other non-identity related assets are within the same execution environment (i.e. same database or same application server). - risk_assessment: Default is high impact. The impact is increased to very-high when the asset missing the trust-boundary protection is rated as strictly-confidential or mission-critical. - false_positives: When all assets within the network segmentation trust-boundary are hardened and protected to the same extend as if all were identity providers with data of highest sensitivity. - function: operations - stride: elevation-of-privilege - cwe: 1008 - missing-identity-store: - id: missing-identity-store - title: Missing Identity Store - description: The modeled architecture does not contain an identity store, which might be the risk of a model missing critical assets (and thus not seeing their risks). - impact: If this risk is unmitigated, attackers might be able to exploit risks unseen in this threat model in the identity provider/store that is currently missing in the model. - asvs: V2 - Authentication Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html - action: Identity Store - mitigation: Include an identity store in the model if the application has a login. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Models with authenticated data-flows authorized via end user identity missing an in-scope identity store. - risk_assessment: The risk rating depends on the sensitivity of the end user-identity authorized technical assets and their data assets processed. - false_positives: Models only offering data/services without any real authentication need can be considered as false positives after individual review. - function: architecture - model_failure_possible_reason: true - cwe: 287 - missing-network-segmentation: - id: missing-network-segmentation - title: Missing Network Segmentation - description: Highly sensitive assets and/or data stores residing in the same network segment than other lower sensitive assets (like webservers or content management systems etc.) should be better protected by a network segmentation trust-boundary. - impact: If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards more valuable targets, as they are not separated by network segmentation. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Network Segmentation - mitigation: Apply a network segmentation trust-boundary around the highly sensitive assets and/or data stores. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets with high sensitivity and RAA values as well as data stores when surrounded by assets (without a network trust-boundary in-between) which are of type client-system, web-server, web-application, cms, web-service-rest, web-service-soap, build-pipeline, sourcecode-repository, monitoring, or similar and there is no direct connection between these (hence no requirement to be so close to each other). - risk_assessment: Default is low risk. The risk is increased to medium when the asset missing the trust-boundary protection is rated as strictly-confidential or mission-critical. - false_positives: When all assets within the network segmentation trust-boundary are hardened and protected to the same extend as if all were containing/processing highly sensitive data. - function: operations - stride: elevation-of-privilege - cwe: 1008 - missing-vault: - id: missing-vault - title: Missing Vault (Secret Storage) - description: In order to avoid the risk of secret leakage via config files (when attacked through vulnerabilities being able to read files like Path-Traversal and others), it is best practice to use a separate hardened process with proper authentication, authorization, and audit logging to access config secrets (like credentials, private keys, client certificates, etc.). This component is usually some kind of Vault. - impact: If this risk is unmitigated, attackers might be able to easier steal config secrets (like credentials, private keys, client certificates, etc.) once a vulnerability to access files is present and exploited. - asvs: V6 - Stored Cryptography Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html - action: Vault (Secret Storage) - mitigation: Consider using a Vault (Secret Storage) to securely store and access config secrets (like credentials, private keys, client certificates, etc.). - check: Is a Vault (Secret Storage) in place? - detection_logic: Models without a Vault (Secret Storage). - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Models where no technical assets have any kind of sensitive config data to protect can be considered as false positives after individual review. - function: architecture - stride: information-disclosure - model_failure_possible_reason: true - cwe: 522 - missing-vault-isolation: - id: missing-vault-isolation - title: Missing Vault Isolation - description: Highly sensitive vault assets and their data stores should be isolated from other assets by their own network segmentation trust-boundary (execution-environment boundaries do not count as network isolation). - impact: If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards highly sensitive vault assets and their data stores, as they are not separated by network segmentation. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Network Segmentation - mitigation: Apply a network segmentation trust-boundary around the highly sensitive vault assets and their data stores. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope vault assets when surrounded by other (not vault-related) assets (without a network trust-boundary in-between). This risk is especially prevalent when other non-vault related assets are within the same execution environment (i.e. same database or same application server). - risk_assessment: Default is medium impact. The impact is increased to high when the asset missing the trust-boundary protection is rated as strictly-confidential or mission-critical. - false_positives: When all assets within the network segmentation trust-boundary are hardened and protected to the same extend as if all were vaults with data of highest sensitivity. - function: operations - stride: elevation-of-privilege - cwe: 1008 - missing-waf: - id: missing-waf - title: Missing Web Application Firewall (WAF) - description: To have a first line of filtering defense, security architectures with web-services or web-applications should include a WAF in front of them. Even though a WAF is not a replacement for security (all components must be secure even without a WAF) it adds another layer of defense to the overall system by delaying some attacks and having easier attack alerting through it. - impact: If this risk is unmitigated, attackers might be able to apply standard attack pattern tests at great speed without any filtering. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Virtual_Patching_Cheat_Sheet.html - action: Web Application Firewall (WAF) - mitigation: Consider placing a Web Application Firewall (WAF) in front of the web-services and/or web-applications. For cloud environments many cloud providers offer pre-configured WAFs. Even reverse proxies can be enhances by a WAF component via ModSecurity plugins. - check: Is a Web Application Firewall (WAF) in place? - detection_logic: In-scope web-services and/or web-applications accessed across a network trust boundary not having a Web Application Firewall (WAF) in front of them. - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Targets only accessible via WAFs or reverse proxies containing a WAF component (like ModSecurity) can be considered as false positives after individual review. - function: operations - stride: tampering - cwe: 1008 - mixed-targets-on-shared-runtime: - id: mixed-targets-on-shared-runtime - title: Mixed Targets on Shared Runtime - description: Different attacker targets (like frontend and backend/datastore components) should not be running on the same shared (underlying) runtime. - impact: If this risk is unmitigated, attackers successfully attacking other components of the system might have an easy path towards more valuable targets, as they are running on the same shared runtime. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Runtime Separation - mitigation: Use separate runtime environments for running different target components or apply similar separation styles to prevent load- or breach-related problems originating from one more attacker-facing asset impacts also the other more critical rated backend/datastore assets. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Shared runtime running technical assets of different trust-boundaries is at risk. Also mixing backend/datastore with frontend components on the same shared runtime is considered a risk. - risk_assessment: The risk rating (low or medium) depends on the confidentiality, integrity, and availability rating of the technical asset running on the shared runtime. - false_positives: When all assets running on the shared runtime are hardened and protected to the same extend as if all were containing/processing highly sensitive data. - function: operations - stride: elevation-of-privilege - cwe: 1008 - path-traversal: - id: path-traversal - title: Path-Traversal - description: When a filesystem is accessed Path-Traversal or Local-File-Inclusion (LFI) risks might arise. The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - impact: If this risk is unmitigated, attackers might be able to read sensitive files (configuration data, key/credential files, deployment files, business data files, etc.) from the filesystem of affected components. - asvs: V12 - File and Resources Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html - action: Path-Traversal Prevention - mitigation: Before accessing the file cross-check that it resides in the expected folder and is of the expected type and filename/suffix. Try to use a mapping if possible instead of directly accessing by a filename which is (partly or fully) provided by the caller. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Filesystems accessed by in-scope callers. - risk_assessment: The risk rating depends on the sensitivity of the data stored inside the technical asset. - false_positives: File accesses by filenames not consisting of parts controllable by the caller can be considered as false positives after individual review. - function: development - stride: information-disclosure - cwe: 22 - push-instead-of-pull-deployment: - id: push-instead-of-pull-deployment - title: Push instead of Pull Deployment - description: When comparing push-based vs. pull-based deployments from a security perspective, pull-based deployments improve the overall security of the deployment targets. Every exposed interface of a production system to accept a deployment increases the attack surface of the production system, thus a pull-based approach exposes less attack surface relevant interfaces. - impact: If this risk is unmitigated, attackers might have more potential target vectors for attacks, as the overall attack surface is unnecessarily increased. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Build Pipeline Hardening - mitigation: Try to prefer pull-based deployments (like GitOps scenarios offer) over push-based deployments to reduce the attack surface of the production system. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Models with build pipeline components accessing in-scope targets of deployment (in a non-readonly way) which are not build-related components themselves. - risk_assessment: The risk rating depends on the highest sensitivity of the deployment targets running custom-developed parts. - false_positives: Communication links that are not deployment paths can be considered as false positives after individual review. - function: architecture - stride: tampering - model_failure_possible_reason: true - cwe: 1127 - search-query-injection: - id: search-query-injection - title: Search-Query Injection - description: When a search engine server is accessed Search-Query Injection risks might arise.

See for example https://github.com/veracode-research/solr-injection and https://github.com/veracode-research/solr-injection/blob/master/slides/DEFCON-27-Michael-Stepankin-Apache-Solr-Injection.pdf for more details (here related to Solr, but in general showcasing the topic of search query injections). - impact: If this risk remains unmitigated, attackers might be able to read more data from the search index and eventually further escalate towards a deeper system penetration via code executions. - asvs: V5 - Validation, Sanitization and Encoding Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html - action: Search-Query Injection Prevention - mitigation: Try to use libraries that properly encode search query meta characters in searches and don't expose the query unfiltered to the caller. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope clients accessing search engine servers via typical search access protocols. - risk_assessment: The risk rating depends on the sensitivity of the search engine server itself and of the data assets processed. - false_positives: Server engine queries by search values not consisting of parts controllable by the caller can be considered as false positives after individual review. - function: development - stride: tampering - cwe: 74 - server-side-request-forgery: - id: server-side-request-forgery - title: Server-Side Request Forgery (SSRF) - description: 'When a server system (i.e. not a client) is accessing other server systems via typical web protocols Server-Side Request Forgery (SSRF) or Local-File-Inclusion (LFI) or Remote-File-Inclusion (RFI) risks might arise. ' - impact: If this risk is unmitigated, attackers might be able to access sensitive services or files of network-reachable components by modifying outgoing calls of affected components. - asvs: V12 - File and Resources Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - action: SSRF Prevention - mitigation: Try to avoid constructing the outgoing target URL with caller controllable values. Alternatively use a mapping (whitelist) when accessing outgoing URLs instead of creating them including caller controllable values. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope non-client systems accessing (using outgoing communication links) targets with either HTTP or HTTPS protocol. - risk_assessment: The risk rating (low or medium) depends on the sensitivity of the data assets receivable via web protocols from targets within the same network trust-boundary as well on the sensitivity of the data assets receivable via web protocols from the target asset itself. Also for cloud-based environments the exploitation impact is at least medium, as cloud backend services can be attacked via SSRF. - false_positives: Servers not sending outgoing web requests can be considered as false positives after review. - function: development - stride: information-disclosure - cwe: 918 - service-registry-poisoning: - id: service-registry-poisoning - title: Service Registry Poisoning - description: When a service registry used for discovery of trusted service endpoints Service Registry Poisoning risks might arise. - impact: If this risk remains unmitigated, attackers might be able to poison the service registry with malicious service endpoints or malicious lookup and config data leading to breach of sensitive data. - asvs: V10 - Malicious Code Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html - action: Service Registry Integrity Check - mitigation: Try to strengthen the access control of the service registry and apply cross-checks to detect maliciously poisoned lookup data. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope service registries. - risk_assessment: The risk rating depends on the sensitivity of the technical assets accessing the service registry as well as the data assets processed. - false_positives: Service registries not used for service discovery can be considered as false positives after individual review. - function: architecture - cwe: 693 - sql-nosql-injection: - id: sql-nosql-injection - title: SQL/NoSQL-Injection - description: When a database is accessed via database access protocols SQL/NoSQL-Injection risks might arise. The risk rating depends on the sensitivity technical asset itself and of the data assets processed. - impact: If this risk is unmitigated, attackers might be able to modify SQL/NoSQL queries to steal and modify data and eventually further escalate towards a deeper system penetration via code executions. - asvs: V5 - Validation, Sanitization and Encoding Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html - action: SQL/NoSQL-Injection Prevention - mitigation: Try to use parameter binding to be safe from injection vulnerabilities. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Database accessed via typical database access protocols by in-scope clients. - risk_assessment: The risk rating depends on the sensitivity of the data stored inside the database. - false_positives: Database accesses by queries not consisting of parts controllable by the caller can be considered as false positives after individual review. - function: development - stride: tampering - cwe: 89 - unchecked-deployment: - id: unchecked-deployment - title: Unchecked Deployment - description: For each build-pipeline component Unchecked Deployment risks might arise when the build-pipeline does not include established DevSecOps best-practices. DevSecOps best-practices scan as part of CI/CD pipelines for vulnerabilities in source- or byte-code, dependencies, container layers, and dynamically against running test systems. There are several open-source and commercial tools existing in the categories DAST, SAST, and IAST. - impact: If this risk remains unmitigated, vulnerabilities in custom-developed software or their dependencies might not be identified during continuous deployment cycles. - asvs: V14 - Configuration Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html - action: Build Pipeline Hardening - mitigation: Apply DevSecOps best-practices and use scanning tools to identify vulnerabilities in source- or byte-code,dependencies, container layers, and optionally also via dynamic scans against running test systems. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: All development-relevant technical assets. - risk_assessment: The risk rating depends on the highest rating of the technical assets and data assets processed by deployment-receiving targets. - false_positives: When the build-pipeline does not build any software components it can be considered a false positive after individual review. - function: architecture - stride: tampering - cwe: 1127 - unencrypted-asset: - id: unencrypted-asset - title: Unencrypted Technical Assets - description: Due to the confidentiality rating of the technical asset itself and/or the processed data assets this technical asset must be encrypted. The risk rating depends on the sensitivity technical asset itself and of the data assets stored. - impact: If this risk is unmitigated, attackers might be able to access unencrypted data when successfully compromising sensitive components. - asvs: V6 - Stored Cryptography Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html - action: Encryption of Technical Asset - mitigation: Apply encryption to the technical asset. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope unencrypted technical assets (excluding reverse-proxy, load-balancer, waf, ids, ips and embedded components like library) storing data assets rated at least as confidential or critical. For technical assets storing data assets rated as strictly-confidential or mission-critical the encryption must be of type data-with-end-user-individual-key. - risk_assessment: Depending on the confidentiality rating of the stored data-assets either medium or high risk. - false_positives: When all sensitive data stored within the asset is already fully encrypted on document or data level. - function: operations - stride: information-disclosure - cwe: 311 - unencrypted-communication: - id: unencrypted-communication - title: Unencrypted Communication - description: Due to the confidentiality and/or integrity rating of the data assets transferred over the communication link this connection must be encrypted. - impact: If this risk is unmitigated, network attackers might be able to to eavesdrop on unencrypted sensitive data sent between components. - asvs: V9 - Communication Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html - action: Encryption of Communication Links - mitigation: Apply transport layer encryption to the communication link. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Unencrypted technical communication links of in-scope technical assets (excluding monitoring traffic as well as local-file-access and in-process-library-call) transferring sensitive data. - risk_assessment: Depending on the confidentiality rating of the transferred data-assets either medium or high risk. - false_positives: When all sensitive data sent over the communication link is already fully encrypted on document or data level. Also intra-container/pod communication can be considered false positive when container orchestration platform handles encryption. - function: operations - stride: information-disclosure - cwe: 319 - unguarded-access-from-internet: - id: unguarded-access-from-internet - title: Unguarded Access From Internet - description: Internet-exposed assets must be guarded by a protecting service, application, or reverse-proxy. - impact: If this risk is unmitigated, attackers might be able to directly attack sensitive systems without any hardening components in-between due to them being directly exposed on the internet. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Encapsulation of Technical Asset - mitigation: Encapsulate the asset behind a guarding service, application, or reverse-proxy. For admin maintenance a bastion-host should be used as a jump-server. For file transfer a store-and-forward-host should be used as an indirect file exchange platform. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets (excluding load-balancer) with confidentiality rating of confidential (or higher) or with integrity rating of critical (or higher) when accessed directly from the internet. All web-server, web-application, reverse-proxy, waf, and gateway assets are exempted from this risk when they do not consist of custom developed code and the data-flow only consists of HTTP or FTP protocols. Access from monitoring systems as well as VPN-protected connections are exempted. - risk_assessment: The matching technical assets are at low risk. When either the confidentiality rating is strictly-confidential or the integrity rating is mission-critical, the risk-rating is considered medium. For assets with RAA values higher than 40 % the risk-rating increases. - false_positives: When other means of filtering client requests are applied equivalent of reverse-proxy, waf, or gateway components. - function: architecture - stride: elevation-of-privilege - cwe: 501 - unguarded-direct-datastore-access: - id: unguarded-direct-datastore-access - title: Unguarded Direct Datastore Access - description: Data stores accessed across trust boundaries must be guarded by some protecting service or application. - impact: If this risk is unmitigated, attackers might be able to directly attack sensitive data stores without any protecting components in-between. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Encapsulation of Datastore - mitigation: Encapsulate the datastore access behind a guarding service or application. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets of type datastore (except identity-store-ldap when accessed from identity-provider and file-server when accessed via file transfer protocols) with confidentiality rating of confidential (or higher) or with integrity rating of critical (or higher) which have incoming data-flows from assets outside across a network trust-boundary. DevOps config and deployment access is excluded from this risk. - risk_assessment: The matching technical assets are at low risk. When either the confidentiality rating is strictly-confidential or the integrity rating is mission-critical, the risk-rating is considered medium. For assets with RAA values higher than 40 % the risk-rating increases. - false_positives: When the caller is considered fully trusted as if it was part of the datastore itself. - function: architecture - stride: elevation-of-privilege - cwe: 501 - unnecessary-communication-link: - id: unnecessary-communication-link - title: Unnecessary Communication Link - description: When a technical communication link does not send or receive any data assets, this is an indicator for an unnecessary communication link (or for an incomplete model). - impact: If this risk is unmitigated, attackers might be able to target unnecessary communication links. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Attack Surface Reduction - mitigation: Try to avoid using technical communication links that do not send or receive anything. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets' technical communication links not sending or receiving any data assets. - risk_assessment: low - false_positives: Usually no false positives as this looks like an incomplete model. - function: architecture - stride: elevation-of-privilege - model_failure_possible_reason: true - cwe: 1008 - unnecessary-data-asset: - id: unnecessary-data-asset - title: Unnecessary Data Asset - description: When a data asset is not processed by any data assets and also not transferred by any communication links, this is an indicator for an unnecessary data asset (or for an incomplete model). - impact: If this risk is unmitigated, attackers might be able to access unnecessary data assets using other vulnerabilities. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Attack Surface Reduction - mitigation: Try to avoid having data assets that are not required/used. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Modelled data assets not processed by any data assets and also not transferred by any communication links. - risk_assessment: low - false_positives: Usually no false positives as this looks like an incomplete model. - function: architecture - stride: elevation-of-privilege - model_failure_possible_reason: true - cwe: 1008 - unnecessary-data-transfer: - id: unnecessary-data-transfer - title: Unnecessary Data Transfer - description: When a technical asset sends or receives data assets, which it neither processes or stores this is an indicator for unnecessarily transferred data (or for an incomplete model). When the unnecessarily transferred data assets are sensitive, this poses an unnecessary risk of an increased attack surface. - impact: If this risk is unmitigated, attackers might be able to target unnecessarily transferred data. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Attack Surface Reduction - mitigation: Try to avoid sending or receiving sensitive data assets which are not required (i.e. neither processed) by the involved technical asset. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets sending or receiving sensitive data assets which are neither processed nor stored by the technical asset are flagged with this risk. The risk rating (low or medium) depends on the confidentiality, integrity, and availability rating of the technical asset. Monitoring data is exempted from this risk. - risk_assessment: The risk assessment is depending on the confidentiality and integrity rating of the transferred data asset either low or medium. - false_positives: Technical assets missing the model entries of either processing or storing the mentioned data assets can be considered as false positives (incomplete models) after individual review. These should then be addressed by completing the model so that all necessary data assets are processed by the technical asset involved. - function: architecture - stride: elevation-of-privilege - model_failure_possible_reason: true - cwe: 1008 - unnecessary-technical-asset: - id: unnecessary-technical-asset - title: Unnecessary Technical Asset - description: When a technical asset does not process any data assets, this is an indicator for an unnecessary technical asset (or for an incomplete model). This is also the case if the asset has no communication links (either outgoing or incoming). - impact: If this risk is unmitigated, attackers might be able to target unnecessary technical assets. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html - action: Attack Surface Reduction - mitigation: Try to avoid using technical assets that do not process or store anything. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Technical assets not processing or storing any data assets. - risk_assessment: low - false_positives: Usually no false positives as this looks like an incomplete model. - function: architecture - stride: elevation-of-privilege - model_failure_possible_reason: true - cwe: 1008 - untrusted-deserialization: - id: untrusted-deserialization - title: Untrusted Deserialization - description: When a technical asset accepts data in a specific serialized form (like Java or .NET serialization), Untrusted Deserialization risks might arise.

See https://christian-schneider.net/JavaDeserializationSecurityFAQ.html for more details. - impact: If this risk is unmitigated, attackers might be able to execute code on target systems by exploiting untrusted deserialization endpoints. - asvs: V5 - Validation, Sanitization and Encoding Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html - action: Prevention of Deserialization of Untrusted Data - mitigation: Try to avoid the deserialization of untrusted data (even of data within the same trust-boundary as long as it is sent across a remote connection) in order to stay safe from Untrusted Deserialization vulnerabilities. Alternatively a strict whitelisting approach of the classes/types/values to deserialize might help as well. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets accepting serialization data formats (including EJB and RMI protocols). - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. - false_positives: Fully trusted (i.e. cryptographically signed or similar) data deserialized can be considered as false positives after individual review. - function: architecture - stride: tampering - cwe: 502 - wrong-communication-link-content: - id: wrong-communication-link-content - title: Wrong Communication Link Content - description: When a communication link is defined as readonly, but does not receive any data asset, or when it is defined as not readonly, but does not send any data asset, it is likely to be a model failure. - impact: If this potential model error is not fixed, some risks might not be visible. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html - action: Model Consistency - mitigation: Try to model the correct readonly flag and/or data sent/received of communication links. Also try to use communication link types matching the target technology/machine types. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Communication links with inconsistent data assets being sent/received not matching their readonly flag or otherwise inconsistent protocols not matching the target technology type. - risk_assessment: low - false_positives: Usually no false positives as this looks like an incomplete model. - function: architecture - stride: information-disclosure - model_failure_possible_reason: true - cwe: 1008 - wrong-trust-boundary-content: - id: wrong-trust-boundary-content - title: Wrong Trust Boundary Content - description: When a trust boundary of type network-policy-namespace-isolation contains non-container assets it is likely to be a model failure. - impact: If this potential model error is not fixed, some risks might not be visible. - asvs: V1 - Architecture, Design and Threat Modeling Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html - action: Model Consistency - mitigation: Try to model the correct types of trust boundaries and data assets. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: Trust boundaries which should only contain containers, but have different assets inside. - risk_assessment: low - false_positives: Usually no false positives as this looks like an incomplete model. - function: architecture - stride: elevation-of-privilege - model_failure_possible_reason: true - cwe: 1008 - xml-external-entity: - id: xml-external-entity - title: XML External Entity (XXE) - description: When a technical asset accepts data in XML format, XML External Entity (XXE) risks might arise. - impact: If this risk is unmitigated, attackers might be able to read sensitive files (configuration data, key/credential files, deployment files, business data files, etc.) form the filesystem of affected components and/or access sensitive services or files of other components. - asvs: V14 - Configuration Verification Requirements - cheat_sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html - action: XML Parser Hardening - mitigation: Apply hardening of all XML parser instances in order to stay safe from XML External Entity (XXE) vulnerabilities. When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level. - check: Are recommendations from the linked cheat sheet and referenced ASVS chapter applied? - detection_logic: In-scope technical assets accepting XML data formats. - risk_assessment: The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed. Also for cloud-based environments the exploitation impact is at least medium, as cloud backend services can be attacked via SSRF (and XXE vulnerabilities are often also SSRF vulnerabilities). - false_positives: Fully trusted (i.e. cryptographically signed or similar) XML data can be considered as false positives after individual review. - function: development - stride: information-disclosure - cwe: 611 -risk_tracking: - dos-risky-access-across-trust-boundary@*@*@*: - synthetic_risk_id: dos-risky-access-across-trust-boundary@*@*@* - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client>customer-traffic: - synthetic_risk_id: dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client>customer-traffic - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver>erp-system-traffic: - synthetic_risk_id: dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver>erp-system-traffic - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client>erp-internal-access: - synthetic_risk_id: dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client>erp-internal-access - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver>auth-credential-check-traffic: - synthetic_risk_id: dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver>auth-credential-check-traffic - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms>auth-traffic: - synthetic_risk_id: dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms>auth-traffic - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client>marketing-cms-editing: - synthetic_risk_id: dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client>marketing-cms-editing - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client>customer-traffic: - synthetic_risk_id: dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client>customer-traffic - justification: The hardening measures are being implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: in-progress - date: "2020-01-04" - ldap-injection@*@ldap-auth-server@*: - synthetic_risk_id: ldap-injection@*@ldap-auth-server@* - justification: The hardening measures were implemented and checked - ticket: XYZ-5678 - checked_by: John Doe - status: mitigated - date: "2020-01-05" - ldap-injection@identity-provider@ldap-auth-server@identity-provider>ldap-credential-check-traffic: - synthetic_risk_id: ldap-injection@identity-provider@ldap-auth-server@identity-provider>ldap-credential-check-traffic - justification: The hardening measures were implemented and checked - ticket: XYZ-5678 - checked_by: John Doe - status: mitigated - date: "2020-01-05" - ldap-injection@marketing-cms@ldap-auth-server@marketing-cms>auth-traffic: - synthetic_risk_id: ldap-injection@marketing-cms@ldap-auth-server@marketing-cms>auth-traffic - justification: The hardening measures were implemented and checked - ticket: XYZ-5678 - checked_by: John Doe - status: mitigated - date: "2020-01-05" - missing-authentication-second-factor@*@*@*: - synthetic_risk_id: missing-authentication-second-factor@*@*@* - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@*: - synthetic_risk_id: missing-hardening@* - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@apache-webserver: - synthetic_risk_id: missing-hardening@apache-webserver - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@erp-system: - synthetic_risk_id: missing-hardening@erp-system - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@identity-provider: - synthetic_risk_id: missing-hardening@identity-provider - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@jenkins-build-server: - synthetic_risk_id: missing-hardening@jenkins-build-server - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@ldap-auth-server: - synthetic_risk_id: missing-hardening@ldap-auth-server - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - missing-hardening@sql-database: - synthetic_risk_id: missing-hardening@sql-database - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@*: - synthetic_risk_id: unencrypted-asset@* - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@apache-webserver: - synthetic_risk_id: unencrypted-asset@apache-webserver - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@contract-file-server: - synthetic_risk_id: unencrypted-asset@contract-file-server - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@erp-system: - synthetic_risk_id: unencrypted-asset@erp-system - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@git-repo: - synthetic_risk_id: unencrypted-asset@git-repo - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@identity-provider: - synthetic_risk_id: unencrypted-asset@identity-provider - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@jenkins-build-server: - synthetic_risk_id: unencrypted-asset@jenkins-build-server - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@marketing-cms: - synthetic_risk_id: unencrypted-asset@marketing-cms - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - unencrypted-asset@sql-database: - synthetic_risk_id: unencrypted-asset@sql-database - justification: The hardening measures were implemented and checked - ticket: XYZ-1234 - checked_by: John Doe - status: mitigated - date: "2020-01-04" - untrusted-deserialization@erp-system: - synthetic_risk_id: untrusted-deserialization@erp-system - justification: Risk accepted as tolerable - ticket: XYZ-1234 - checked_by: John Doe - status: accepted - date: "2020-01-04" -communication_links: - apache-webserver>auth-credential-check-traffic: - id: apache-webserver>auth-credential-check-traffic - source_id: apache-webserver - target_id: identity-provider - title: Auth Credential Check Traffic - description: Link to the identity provider server - protocol: https - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - apache-webserver>erp-system-traffic: - id: apache-webserver>erp-system-traffic - source_id: apache-webserver - target_id: erp-system - title: ERP System Traffic - description: Link to the ERP system - protocol: https - authentication: token - authorization: technical-user - data_assets_sent: - - customer-accounts - - customer-operational-data - - internal-business-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - backend-admin-client>db-update-access: - id: backend-admin-client>db-update-access - source_id: backend-admin-client - target_id: sql-database - title: DB Update Access - description: Link to the database (JDBC tunneled via SSH) - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - db-dumps - data_assets_received: - - db-dumps - - erp-logs - - customer-accounts - - customer-operational-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - backend-admin-client>erp-web-access: - id: backend-admin-client>erp-web-access - source_id: backend-admin-client - target_id: erp-system - title: ERP Web Access - description: Link to the ERP system (Web) - protocol: https - authentication: token - authorization: technical-user - usage: devops - data_assets_sent: - - erp-customizing - data_assets_received: - - erp-logs - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - backend-admin-client>user-management-access: - id: backend-admin-client>user-management-access - source_id: backend-admin-client - target_id: ldap-auth-server - title: User Management Access - description: Link to the LDAP auth server for managing users - protocol: ldaps - authentication: credentials - authorization: technical-user - usage: devops - data_assets_sent: - - customer-accounts - data_assets_received: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - backoffice-client>erp-internal-access: - id: backoffice-client>erp-internal-access - source_id: backoffice-client - target_id: erp-system - title: ERP Internal Access - description: Link to the ERP system - protocol: https - tags: - - some-erp - vpn: true - authentication: token - authorization: end-user-identity-propagation - data_assets_sent: - - internal-business-data - data_assets_received: - - customer-contracts - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - backoffice-client>marketing-cms-editing: - id: backoffice-client>marketing-cms-editing - source_id: backoffice-client - target_id: marketing-cms - title: Marketing CMS Editing - description: Link to the CMS for editing content - protocol: https - vpn: true - authentication: token - authorization: end-user-identity-propagation - data_assets_sent: - - marketing-material - data_assets_received: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - customer-client>customer-traffic: - id: customer-client>customer-traffic - source_id: customer-client - target_id: load-balancer - title: Customer Traffic - description: Link to the load balancer - protocol: https - authentication: session-id - authorization: end-user-identity-propagation - data_assets_sent: - - customer-accounts - - customer-operational-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - erp-system>database-traffic: - id: erp-system>database-traffic - source_id: erp-system - target_id: sql-database - title: Database Traffic - description: Link to the DB system - protocol: jdbc - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - - customer-operational-data - - internal-business-data - data_assets_received: - - customer-accounts - - customer-operational-data - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - erp-system>nfs-filesystem-access: - id: erp-system>nfs-filesystem-access - source_id: erp-system - target_id: contract-file-server - title: NFS Filesystem Access - description: Link to the file system - protocol: nfs - data_assets_sent: - - customer-contracts - data_assets_received: - - customer-contracts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - external-dev-client>git-repo-code-write-access: - id: external-dev-client>git-repo-code-write-access - source_id: external-dev-client - target_id: git-repo - title: Git-Repo Code Write Access - description: Link to the Git repo - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - external-dev-client>git-repo-web-ui-access: - id: external-dev-client>git-repo-web-ui-access - source_id: external-dev-client - target_id: git-repo - title: Git-Repo Web-UI Access - description: Link to the Git repo - protocol: https - authentication: token - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - external-dev-client>jenkins-web-ui-access: - id: external-dev-client>jenkins-web-ui-access - source_id: external-dev-client - target_id: jenkins-build-server - title: Jenkins Web-UI Access - description: Link to the Jenkins build server - protocol: https - authentication: credentials - authorization: technical-user - usage: devops - data_assets_sent: - - build-job-config - data_assets_received: - - build-job-config - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - identity-provider>ldap-credential-check-traffic: - id: identity-provider>ldap-credential-check-traffic - source_id: identity-provider - target_id: ldap-auth-server - title: LDAP Credential Check Traffic - description: Link to the LDAP server - protocol: ldaps - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - jenkins-build-server>application-deployment: - id: jenkins-build-server>application-deployment - source_id: jenkins-build-server - target_id: apache-webserver - title: Application Deployment - description: Link to the Apache webserver - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - jenkins-build-server>cms-updates: - id: jenkins-build-server>cms-updates - source_id: jenkins-build-server - target_id: marketing-cms - title: CMS Updates - description: Link to the CMS - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - jenkins-build-server>git-repo-code-read-access: - id: jenkins-build-server>git-repo-code-read-access - source_id: jenkins-build-server - target_id: git-repo - title: Git Repo Code Read Access - description: Link to the Git repository server - protocol: ssh - readonly: true - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - load-balancer>cms-content-traffic: - id: load-balancer>cms-content-traffic - source_id: load-balancer - target_id: marketing-cms - title: CMS Content Traffic - description: Link to the CMS server - protocol: http - readonly: true - data_assets_received: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - load-balancer>web-application-traffic: - id: load-balancer>web-application-traffic - source_id: load-balancer - target_id: apache-webserver - title: Web Application Traffic - description: Link to the web server - protocol: http - authentication: session-id - authorization: end-user-identity-propagation - data_assets_sent: - - customer-accounts - - customer-operational-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - marketing-cms>auth-traffic: - id: marketing-cms>auth-traffic - source_id: marketing-cms - target_id: ldap-auth-server - title: Auth Traffic - description: Link to the LDAP auth server - protocol: ldap - readonly: true - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - data_assets_received: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true -all_supported_tags: - aws: true - aws:apigateway: true - aws:dynamodb: true - aws:ebs: true - aws:ec2: true - aws:iam: true - aws:lambda: true - aws:rds: true - aws:s3: true - aws:sqs: true - aws:vpc: true - azure: true - docker: true - gcp: true - git: true - kubernetes: true - nexus: true - ocp: true - openshift: true - tomcat: true -diagram_tweak_nodesep: 2 -diagram_tweak_ranksep: 2 -incoming_technical_communication_links_mapped_by_target_id: - apache-webserver: - - id: load-balancer>web-application-traffic - source_id: load-balancer - target_id: apache-webserver - title: Web Application Traffic - description: Link to the web server - protocol: http - authentication: session-id - authorization: end-user-identity-propagation - data_assets_sent: - - customer-accounts - - customer-operational-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: jenkins-build-server>application-deployment - source_id: jenkins-build-server - target_id: apache-webserver - title: Application Deployment - description: Link to the Apache webserver - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - contract-file-server: - - id: erp-system>nfs-filesystem-access - source_id: erp-system - target_id: contract-file-server - title: NFS Filesystem Access - description: Link to the file system - protocol: nfs - data_assets_sent: - - customer-contracts - data_assets_received: - - customer-contracts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - erp-system: - - id: backoffice-client>erp-internal-access - source_id: backoffice-client - target_id: erp-system - title: ERP Internal Access - description: Link to the ERP system - protocol: https - tags: - - some-erp - vpn: true - authentication: token - authorization: end-user-identity-propagation - data_assets_sent: - - internal-business-data - data_assets_received: - - customer-contracts - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backend-admin-client>erp-web-access - source_id: backend-admin-client - target_id: erp-system - title: ERP Web Access - description: Link to the ERP system (Web) - protocol: https - authentication: token - authorization: technical-user - usage: devops - data_assets_sent: - - erp-customizing - data_assets_received: - - erp-logs - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: apache-webserver>erp-system-traffic - source_id: apache-webserver - target_id: erp-system - title: ERP System Traffic - description: Link to the ERP system - protocol: https - authentication: token - authorization: technical-user - data_assets_sent: - - customer-accounts - - customer-operational-data - - internal-business-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - git-repo: - - id: jenkins-build-server>git-repo-code-read-access - source_id: jenkins-build-server - target_id: git-repo - title: Git Repo Code Read Access - description: Link to the Git repository server - protocol: ssh - readonly: true - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: external-dev-client>git-repo-web-ui-access - source_id: external-dev-client - target_id: git-repo - title: Git-Repo Web-UI Access - description: Link to the Git repo - protocol: https - authentication: token - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: external-dev-client>git-repo-code-write-access - source_id: external-dev-client - target_id: git-repo - title: Git-Repo Code Write Access - description: Link to the Git repo - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - client-application-code - - server-application-code - data_assets_received: - - client-application-code - - server-application-code - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - identity-provider: - - id: apache-webserver>auth-credential-check-traffic - source_id: apache-webserver - target_id: identity-provider - title: Auth Credential Check Traffic - description: Link to the identity provider server - protocol: https - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - jenkins-build-server: - - id: external-dev-client>jenkins-web-ui-access - source_id: external-dev-client - target_id: jenkins-build-server - title: Jenkins Web-UI Access - description: Link to the Jenkins build server - protocol: https - authentication: credentials - authorization: technical-user - usage: devops - data_assets_sent: - - build-job-config - data_assets_received: - - build-job-config - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - ldap-auth-server: - - id: marketing-cms>auth-traffic - source_id: marketing-cms - target_id: ldap-auth-server - title: Auth Traffic - description: Link to the LDAP auth server - protocol: ldap - readonly: true - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - data_assets_received: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: identity-provider>ldap-credential-check-traffic - source_id: identity-provider - target_id: ldap-auth-server - title: LDAP Credential Check Traffic - description: Link to the LDAP server - protocol: ldaps - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backend-admin-client>user-management-access - source_id: backend-admin-client - target_id: ldap-auth-server - title: User Management Access - description: Link to the LDAP auth server for managing users - protocol: ldaps - authentication: credentials - authorization: technical-user - usage: devops - data_assets_sent: - - customer-accounts - data_assets_received: - - customer-accounts - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - load-balancer: - - id: customer-client>customer-traffic - source_id: customer-client - target_id: load-balancer - title: Customer Traffic - description: Link to the load balancer - protocol: https - authentication: session-id - authorization: end-user-identity-propagation - data_assets_sent: - - customer-accounts - - customer-operational-data - data_assets_received: - - customer-accounts - - customer-operational-data - - customer-contracts - - client-application-code - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - marketing-cms: - - id: load-balancer>cms-content-traffic - source_id: load-balancer - target_id: marketing-cms - title: CMS Content Traffic - description: Link to the CMS server - protocol: http - readonly: true - data_assets_received: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: jenkins-build-server>cms-updates - source_id: jenkins-build-server - target_id: marketing-cms - title: CMS Updates - description: Link to the CMS - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backoffice-client>marketing-cms-editing - source_id: backoffice-client - target_id: marketing-cms - title: Marketing CMS Editing - description: Link to the CMS for editing content - protocol: https - vpn: true - authentication: token - authorization: end-user-identity-propagation - data_assets_sent: - - marketing-material - data_assets_received: - - marketing-material - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - sql-database: - - id: erp-system>database-traffic - source_id: erp-system - target_id: sql-database - title: Database Traffic - description: Link to the DB system - protocol: jdbc - authentication: credentials - authorization: technical-user - data_assets_sent: - - customer-accounts - - customer-operational-data - - internal-business-data - data_assets_received: - - customer-accounts - - customer-operational-data - - internal-business-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true - - id: backend-admin-client>db-update-access - source_id: backend-admin-client - target_id: sql-database - title: DB Update Access - description: Link to the database (JDBC tunneled via SSH) - protocol: ssh - authentication: client-certificate - authorization: technical-user - usage: devops - data_assets_sent: - - db-dumps - data_assets_received: - - db-dumps - - erp-logs - - customer-accounts - - customer-operational-data - diagram_tweak_weight: 1 - diagram_tweak_constraint: true -direct_containing_trust_boundary_mapped_by_technical_asset_id: - apache-webserver: - id: web-dmz - title: Web DMZ - description: Web DMZ - type: network-cloud-security-group - technical_assets_inside: - - apache-webserver - - marketing-cms - backend-admin-client: - id: dev-network - title: Dev Network - description: Development Network - technical_assets_inside: - - jenkins-build-server - - git-repo - - backend-admin-client - - backoffice-client - backoffice-client: - id: dev-network - title: Dev Network - description: Development Network - technical_assets_inside: - - jenkins-build-server - - git-repo - - backend-admin-client - - backoffice-client - contract-file-server: - id: erp-dmz - title: ERP DMZ - description: ERP DMZ - type: network-cloud-security-group - tags: - - some-erp - technical_assets_inside: - - erp-system - - contract-file-server - - sql-database - erp-system: - id: erp-dmz - title: ERP DMZ - description: ERP DMZ - type: network-cloud-security-group - tags: - - some-erp - technical_assets_inside: - - erp-system - - contract-file-server - - sql-database - git-repo: - id: dev-network - title: Dev Network - description: Development Network - technical_assets_inside: - - jenkins-build-server - - git-repo - - backend-admin-client - - backoffice-client - identity-provider: - id: auth-env - title: Auth Handling Environment - description: Auth Handling Environment - type: execution-environment - technical_assets_inside: - - identity-provider - - ldap-auth-server - jenkins-build-server: - id: dev-network - title: Dev Network - description: Development Network - technical_assets_inside: - - jenkins-build-server - - git-repo - - backend-admin-client - - backoffice-client - ldap-auth-server: - id: auth-env - title: Auth Handling Environment - description: Auth Handling Environment - type: execution-environment - technical_assets_inside: - - identity-provider - - ldap-auth-server - load-balancer: - id: application-network - title: Application Network - description: Application Network - type: network-cloud-provider - tags: - - aws - technical_assets_inside: - - load-balancer - trust_boundaries_nested: - - web-dmz - - erp-dmz - - auth-env - marketing-cms: - id: web-dmz - title: Web DMZ - description: Web DMZ - type: network-cloud-security-group - technical_assets_inside: - - apache-webserver - - marketing-cms - sql-database: - id: erp-dmz - title: ERP DMZ - description: ERP DMZ - type: network-cloud-security-group - tags: - - some-erp - technical_assets_inside: - - erp-system - - contract-file-server - - sql-database -generated_risks_by_category: - accidental-secret-leak: - - category: accidental-secret-leak - severity: medium - exploitation_impact: high - title: 'Accidental Secret Leak (Git) risk at Git Repository: Git Leak Prevention' - synthetic_id: accidental-secret-leak@git-repo - most_relevant_technical_asset: git-repo - data_breach_probability: probable - data_breach_technical_assets: - - git-repo - code-backdooring: - - category: code-backdooring - severity: medium - exploitation_impact: high - title: Code Backdooring risk at Git Repository - synthetic_id: code-backdooring@git-repo - most_relevant_technical_asset: git-repo - data_breach_probability: probable - data_breach_technical_assets: - - git-repo - - category: code-backdooring - severity: medium - exploitation_impact: high - title: Code Backdooring risk at Jenkins Buildserver - synthetic_id: code-backdooring@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_probability: probable - data_breach_technical_assets: - - marketing-cms - - jenkins-build-server - - apache-webserver - container-baseimage-backdooring: - - category: container-baseimage-backdooring - severity: medium - exploitation_impact: high - title: Container Base Image Backdooring risk at Apache Webserver - synthetic_id: container-baseimage-backdooring@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - - category: container-baseimage-backdooring - severity: medium - exploitation_impact: high - title: Container Base Image Backdooring risk at Marketing CMS - synthetic_id: container-baseimage-backdooring@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_probability: probable - data_breach_technical_assets: - - marketing-cms - cross-site-request-forgery: - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Apache Webserver via Web Application Traffic from Load Balancer - synthetic_id: cross-site-request-forgery@apache-webserver@load-balancer>web-application-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: load-balancer>web-application-traffic - data_breach_technical_assets: - - apache-webserver - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Backoffice ERP System via ERP Internal Access from Backoffice Client - synthetic_id: cross-site-request-forgery@erp-system@backoffice-client>erp-internal-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backoffice-client>erp-internal-access - data_breach_technical_assets: - - erp-system - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Backoffice ERP System via ERP System Traffic from Apache Webserver - synthetic_id: cross-site-request-forgery@erp-system@apache-webserver>erp-system-traffic - most_relevant_technical_asset: erp-system - most_relevant_communication_link: apache-webserver>erp-system-traffic - data_breach_technical_assets: - - erp-system - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Identity Provider via Auth Credential Check Traffic from Apache Webserver - synthetic_id: cross-site-request-forgery@identity-provider@apache-webserver>auth-credential-check-traffic - most_relevant_technical_asset: identity-provider - most_relevant_communication_link: apache-webserver>auth-credential-check-traffic - data_breach_technical_assets: - - identity-provider - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Marketing CMS via CMS Content Traffic from Load Balancer - synthetic_id: cross-site-request-forgery@marketing-cms@load-balancer>cms-content-traffic - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: load-balancer>cms-content-traffic - data_breach_technical_assets: - - marketing-cms - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Marketing CMS via Marketing CMS Editing from Backoffice Client - synthetic_id: cross-site-request-forgery@marketing-cms@backoffice-client>marketing-cms-editing - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: backoffice-client>marketing-cms-editing - data_breach_technical_assets: - - marketing-cms - - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: likely - title: Cross-Site Request Forgery (CSRF) risk at Backoffice ERP System via ERP Web Access from Backend Admin Client - synthetic_id: cross-site-request-forgery@erp-system@backend-admin-client>erp-web-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backend-admin-client>erp-web-access - data_breach_technical_assets: - - erp-system - cross-site-scripting: - - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Apache Webserver - synthetic_id: cross-site-scripting@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Backoffice ERP System - synthetic_id: cross-site-scripting@erp-system - most_relevant_technical_asset: erp-system - data_breach_probability: possible - data_breach_technical_assets: - - erp-system - - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Identity Provider - synthetic_id: cross-site-scripting@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_probability: possible - data_breach_technical_assets: - - identity-provider - - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Marketing CMS - synthetic_id: cross-site-scripting@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - dos-risky-access-across-trust-boundary: - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of Apache Webserver by Customer Web Client via Customer Traffic forwarded via Load Balancer - synthetic_id: dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client>customer-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: customer-client>customer-traffic - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of Backoffice ERP System by Apache Webserver via ERP System Traffic - synthetic_id: dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver>erp-system-traffic - most_relevant_technical_asset: erp-system - most_relevant_communication_link: apache-webserver>erp-system-traffic - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of Backoffice ERP System by Backoffice Client via ERP Internal Access - synthetic_id: dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client>erp-internal-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backoffice-client>erp-internal-access - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of Identity Provider by Apache Webserver via Auth Credential Check Traffic - synthetic_id: dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver>auth-credential-check-traffic - most_relevant_technical_asset: identity-provider - most_relevant_communication_link: apache-webserver>auth-credential-check-traffic - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of LDAP Auth Server by Marketing CMS via Auth Traffic - synthetic_id: dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms>auth-traffic - most_relevant_technical_asset: ldap-auth-server - most_relevant_communication_link: marketing-cms>auth-traffic - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of Marketing CMS by Backoffice Client via Marketing CMS Editing - synthetic_id: dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client>marketing-cms-editing - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: backoffice-client>marketing-cms-editing - - category: dos-risky-access-across-trust-boundary - risk_status: in-progress - title: Denial-of-Service risky access of Marketing CMS by Customer Web Client via Customer Traffic forwarded via Load Balancer - synthetic_id: dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client>customer-traffic - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: customer-client>customer-traffic - ldap-injection: - - category: ldap-injection - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: LDAP-Injection risk at Identity Provider against LDAP server LDAP Auth Server via LDAP Credential Check Traffic - synthetic_id: ldap-injection@identity-provider@ldap-auth-server@identity-provider>ldap-credential-check-traffic - most_relevant_technical_asset: identity-provider - most_relevant_communication_link: identity-provider>ldap-credential-check-traffic - data_breach_probability: probable - data_breach_technical_assets: - - ldap-auth-server - - category: ldap-injection - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: LDAP-Injection risk at Marketing CMS against LDAP server LDAP Auth Server via Auth Traffic - synthetic_id: ldap-injection@marketing-cms@ldap-auth-server@marketing-cms>auth-traffic - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: marketing-cms>auth-traffic - data_breach_probability: probable - data_breach_technical_assets: - - ldap-auth-server - missing-authentication: - - category: missing-authentication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Authentication covering communication link CMS Content Traffic from Load Balancer to Marketing CMS - synthetic_id: missing-authentication@load-balancer>cms-content-traffic@load-balancer@marketing-cms - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: load-balancer>cms-content-traffic - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - - category: missing-authentication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Authentication covering communication link NFS Filesystem Access from Backoffice ERP System to Contract Fileserver - synthetic_id: missing-authentication@erp-system>nfs-filesystem-access@erp-system@contract-file-server - most_relevant_technical_asset: contract-file-server - most_relevant_communication_link: erp-system>nfs-filesystem-access - data_breach_probability: possible - data_breach_technical_assets: - - contract-file-server - missing-authentication-second-factor: - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link CMS Content Traffic from Customer Web Client forwarded via Load Balancer to Marketing CMS - synthetic_id: missing-authentication@load-balancer>cms-content-traffic@load-balancer@marketing-cms - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: load-balancer>cms-content-traffic - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link DB Update Access from Backend Admin Client to Customer Contract Database - synthetic_id: missing-authentication@backend-admin-client>db-update-access@backend-admin-client@sql-database - most_relevant_technical_asset: sql-database - most_relevant_communication_link: backend-admin-client>db-update-access - data_breach_probability: possible - data_breach_technical_assets: - - sql-database - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link ERP Internal Access from Backoffice Client to Backoffice ERP System - synthetic_id: missing-authentication@backoffice-client>erp-internal-access@backoffice-client@erp-system - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backoffice-client>erp-internal-access - data_breach_probability: possible - data_breach_technical_assets: - - erp-system - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link ERP Web Access from Backend Admin Client to Backoffice ERP System - synthetic_id: missing-authentication@backend-admin-client>erp-web-access@backend-admin-client@erp-system - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backend-admin-client>erp-web-access - data_breach_probability: possible - data_breach_technical_assets: - - erp-system - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Git-Repo Code Write Access from External Development Client to Git Repository - synthetic_id: missing-authentication@external-dev-client>git-repo-code-write-access@external-dev-client@git-repo - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-code-write-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Git-Repo Web-UI Access from External Development Client to Git Repository - synthetic_id: missing-authentication@external-dev-client>git-repo-web-ui-access@external-dev-client@git-repo - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Jenkins Web-UI Access from External Development Client to Jenkins Buildserver - synthetic_id: missing-authentication@external-dev-client>jenkins-web-ui-access@external-dev-client@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - most_relevant_communication_link: external-dev-client>jenkins-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - jenkins-build-server - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link User Management Access from Backend Admin Client to LDAP Auth Server - synthetic_id: missing-authentication@backend-admin-client>user-management-access@backend-admin-client@ldap-auth-server - most_relevant_technical_asset: ldap-auth-server - most_relevant_communication_link: backend-admin-client>user-management-access - data_breach_probability: possible - data_breach_technical_assets: - - ldap-auth-server - - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Web Application Traffic from Customer Web Client forwarded via Load Balancer to Apache Webserver - synthetic_id: missing-authentication@load-balancer>web-application-traffic@load-balancer@apache-webserver - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: load-balancer>web-application-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - missing-cloud-hardening: - - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: 'Missing Cloud Hardening (AWS) risk at Application Network: CIS Benchmark for AWS' - synthetic_id: missing-cloud-hardening@application-network - most_relevant_trust_boundary: application-network - data_breach_probability: probable - data_breach_technical_assets: - - load-balancer - - apache-webserver - - marketing-cms - - erp-system - - contract-file-server - - sql-database - - identity-provider - - ldap-auth-server - - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: 'Missing Cloud Hardening (EC2) risk at Apache Webserver: CIS Benchmark for Amazon Linux' - synthetic_id: missing-cloud-hardening@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: Missing Cloud Hardening risk at ERP DMZ - synthetic_id: missing-cloud-hardening@erp-dmz - most_relevant_trust_boundary: erp-dmz - data_breach_probability: probable - data_breach_technical_assets: - - erp-system - - contract-file-server - - sql-database - - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: Missing Cloud Hardening risk at Web DMZ - synthetic_id: missing-cloud-hardening@web-dmz - most_relevant_trust_boundary: web-dmz - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - - marketing-cms - - category: missing-cloud-hardening - severity: medium - exploitation_impact: high - title: 'Missing Cloud Hardening (S3) risk at Contract Fileserver: Security Best Practices for AWS S3' - synthetic_id: missing-cloud-hardening@contract-file-server - most_relevant_technical_asset: contract-file-server - data_breach_probability: probable - data_breach_technical_assets: - - contract-file-server - missing-file-validation: - - category: missing-file-validation - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Missing File Validation risk at Apache Webserver - synthetic_id: missing-file-validation@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - missing-hardening: - - category: missing-hardening - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Apache Webserver - synthetic_id: missing-hardening@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - - category: missing-hardening - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Backoffice ERP System - synthetic_id: missing-hardening@erp-system - most_relevant_technical_asset: erp-system - data_breach_technical_assets: - - erp-system - - category: missing-hardening - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Customer Contract Database - synthetic_id: missing-hardening@sql-database - most_relevant_technical_asset: sql-database - data_breach_technical_assets: - - sql-database - - category: missing-hardening - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Identity Provider - synthetic_id: missing-hardening@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_technical_assets: - - identity-provider - - category: missing-hardening - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Jenkins Buildserver - synthetic_id: missing-hardening@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_technical_assets: - - jenkins-build-server - - category: missing-hardening - risk_status: mitigated - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at LDAP Auth Server - synthetic_id: missing-hardening@ldap-auth-server - most_relevant_technical_asset: ldap-auth-server - data_breach_technical_assets: - - ldap-auth-server - missing-identity-propagation: - - category: missing-identity-propagation - severity: medium - exploitation_impact: medium - title: Missing End User Identity Propagation over communication link ERP System Traffic from Apache Webserver to Backoffice ERP System - synthetic_id: missing-identity-propagation@apache-webserver>erp-system-traffic@apache-webserver@erp-system - most_relevant_technical_asset: erp-system - most_relevant_communication_link: apache-webserver>erp-system-traffic - data_breach_technical_assets: - - erp-system - missing-network-segmentation: - - category: missing-network-segmentation - severity: medium - exploitation_impact: medium - title: Missing Network Segmentation to further encapsulate and protect Apache Webserver against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers - synthetic_id: missing-network-segmentation@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - - category: missing-network-segmentation - severity: medium - exploitation_impact: medium - title: Missing Network Segmentation to further encapsulate and protect Jenkins Buildserver against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers - synthetic_id: missing-network-segmentation@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_technical_assets: - - jenkins-build-server - missing-vault: - - category: missing-vault - severity: medium - exploitation_impact: medium - title: Missing Vault (Secret Storage) in the threat model (referencing asset Backoffice ERP System as an example) - synthetic_id: missing-vault@erp-system - most_relevant_technical_asset: erp-system - missing-waf: - - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Apache Webserver - synthetic_id: missing-waf@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Backoffice ERP System - synthetic_id: missing-waf@erp-system - most_relevant_technical_asset: erp-system - data_breach_technical_assets: - - erp-system - - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Identity Provider - synthetic_id: missing-waf@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_technical_assets: - - identity-provider - - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Marketing CMS - synthetic_id: missing-waf@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_technical_assets: - - marketing-cms - mixed-targets-on-shared-runtime: - - category: mixed-targets-on-shared-runtime - severity: medium - exploitation_impact: medium - title: Mixed Targets on Shared Runtime named WebApp and Backoffice Virtualization might enable attackers moving from one less valuable target to a more valuable one - synthetic_id: mixed-targets-on-shared-runtime@webapp-virtualization - most_relevant_shared_runtime: webapp-virtualization - data_breach_technical_assets: - - apache-webserver - - marketing-cms - - erp-system - - contract-file-server - - sql-database - path-traversal: - - category: path-traversal - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Path-Traversal risk at Backoffice ERP System against filesystem Contract Fileserver via NFS Filesystem Access - synthetic_id: path-traversal@erp-system@contract-file-server@erp-system>nfs-filesystem-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>nfs-filesystem-access - data_breach_probability: probable - data_breach_technical_assets: - - contract-file-server - push-instead-of-pull-deployment: - - category: push-instead-of-pull-deployment - severity: medium - exploitation_impact: medium - title: Push instead of Pull Deployment at Apache Webserver via build pipeline asset Jenkins Buildserver - synthetic_id: push-instead-of-pull-deployment@jenkins-build-server - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: jenkins-build-server>application-deployment - data_breach_technical_assets: - - apache-webserver - - category: push-instead-of-pull-deployment - severity: medium - exploitation_impact: medium - title: Push instead of Pull Deployment at Marketing CMS via build pipeline asset Jenkins Buildserver - synthetic_id: push-instead-of-pull-deployment@jenkins-build-server - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: jenkins-build-server>cms-updates - data_breach_technical_assets: - - marketing-cms - server-side-request-forgery: - - category: server-side-request-forgery - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Server-Side Request Forgery (SSRF) risk at Apache Webserver server-side web-requesting the target Backoffice ERP System via ERP System Traffic - synthetic_id: server-side-request-forgery@apache-webserver@erp-system@apache-webserver>erp-system-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: apache-webserver>erp-system-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - - marketing-cms - - category: server-side-request-forgery - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Server-Side Request Forgery (SSRF) risk at Apache Webserver server-side web-requesting the target Identity Provider via Auth Credential Check Traffic - synthetic_id: server-side-request-forgery@apache-webserver@identity-provider@apache-webserver>auth-credential-check-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: apache-webserver>auth-credential-check-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - - marketing-cms - something-strange: - - category: something-strange - severity: critical - exploitation_likelihood: likely - exploitation_impact: medium - title: Example Individual Risk at Database - synthetic_id: something-strange@sql-database - most_relevant_technical_asset: sql-database - data_breach_probability: probable - data_breach_technical_assets: - - sql-database - - category: something-strange - severity: medium - exploitation_likelihood: frequent - exploitation_impact: very-high - title: Example Individual Risk at Contract Filesystem - synthetic_id: something-strange@contract-file-server - most_relevant_technical_asset: contract-file-server - sql-nosql-injection: - - category: sql-nosql-injection - severity: high - exploitation_likelihood: very-likely - exploitation_impact: high - title: SQL/NoSQL-Injection risk at Backoffice ERP System against database Customer Contract Database via Database Traffic - synthetic_id: sql-nosql-injection@erp-system@sql-database@erp-system>database-traffic - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>database-traffic - data_breach_probability: probable - data_breach_technical_assets: - - sql-database - unchecked-deployment: - - category: unchecked-deployment - severity: medium - exploitation_impact: medium - title: Unchecked Deployment risk at External Development Client - synthetic_id: unchecked-deployment@external-dev-client - most_relevant_technical_asset: external-dev-client - data_breach_probability: possible - data_breach_technical_assets: - - external-dev-client - - git-repo - - jenkins-build-server - - category: unchecked-deployment - severity: medium - exploitation_impact: medium - title: Unchecked Deployment risk at Jenkins Buildserver - synthetic_id: unchecked-deployment@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - - jenkins-build-server - - apache-webserver - - category: unchecked-deployment - title: Unchecked Deployment risk at Git Repository - synthetic_id: unchecked-deployment@git-repo - most_relevant_technical_asset: git-repo - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - unencrypted-asset: - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Apache Webserver - synthetic_id: unencrypted-asset@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Backoffice ERP System missing end user individual encryption with data-with-end-user-individual-key - synthetic_id: unencrypted-asset@erp-system - most_relevant_technical_asset: erp-system - data_breach_technical_assets: - - erp-system - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Git Repository - synthetic_id: unencrypted-asset@git-repo - most_relevant_technical_asset: git-repo - data_breach_technical_assets: - - git-repo - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Identity Provider - synthetic_id: unencrypted-asset@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_technical_assets: - - identity-provider - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Jenkins Buildserver - synthetic_id: unencrypted-asset@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_technical_assets: - - jenkins-build-server - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Marketing CMS - synthetic_id: unencrypted-asset@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_technical_assets: - - marketing-cms - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: medium - title: Unencrypted Technical Asset named Contract Fileserver - synthetic_id: unencrypted-asset@contract-file-server - most_relevant_technical_asset: contract-file-server - data_breach_technical_assets: - - contract-file-server - - category: unencrypted-asset - risk_status: mitigated - severity: medium - exploitation_impact: medium - title: Unencrypted Technical Asset named Customer Contract Database missing end user individual encryption with data-with-end-user-individual-key - synthetic_id: unencrypted-asset@sql-database - most_relevant_technical_asset: sql-database - data_breach_technical_assets: - - sql-database - unencrypted-communication: - - category: unencrypted-communication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Unencrypted Communication named Auth Traffic between Marketing CMS and LDAP Auth Server transferring authentication data (like credentials, token, session-id, etc.) - synthetic_id: unencrypted-communication@marketing-cms>auth-traffic@marketing-cms@ldap-auth-server - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: marketing-cms>auth-traffic - data_breach_probability: possible - data_breach_technical_assets: - - ldap-auth-server - - category: unencrypted-communication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Unencrypted Communication named Web Application Traffic between Load Balancer and Apache Webserver transferring authentication data (like credentials, token, session-id, etc.) - synthetic_id: unencrypted-communication@load-balancer>web-application-traffic@load-balancer@apache-webserver - most_relevant_technical_asset: load-balancer - most_relevant_communication_link: load-balancer>web-application-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - - category: unencrypted-communication - severity: medium - exploitation_impact: high - title: Unencrypted Communication named Database Traffic between Backoffice ERP System and Customer Contract Database transferring authentication data (like credentials, token, session-id, etc.) - synthetic_id: unencrypted-communication@erp-system>database-traffic@erp-system@sql-database - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>database-traffic - data_breach_probability: possible - data_breach_technical_assets: - - sql-database - - category: unencrypted-communication - severity: medium - exploitation_impact: medium - title: Unencrypted Communication named NFS Filesystem Access between Backoffice ERP System and Contract Fileserver - synthetic_id: unencrypted-communication@erp-system>nfs-filesystem-access@erp-system@contract-file-server - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>nfs-filesystem-access - data_breach_probability: possible - data_breach_technical_assets: - - contract-file-server - unguarded-access-from-internet: - - category: unguarded-access-from-internet - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Unguarded Access from Internet of Git Repository by External Development Client via Git-Repo Code Write Access - synthetic_id: unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client>git-repo-code-write-access - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-code-write-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - - category: unguarded-access-from-internet - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Unguarded Access from Internet of Git Repository by External Development Client via Git-Repo Web-UI Access - synthetic_id: unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client>git-repo-web-ui-access - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - - category: unguarded-access-from-internet - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Unguarded Access from Internet of Jenkins Buildserver by External Development Client via Jenkins Web-UI Access - synthetic_id: unguarded-access-from-internet@jenkins-build-server@external-dev-client@external-dev-client>jenkins-web-ui-access - most_relevant_technical_asset: jenkins-build-server - most_relevant_communication_link: external-dev-client>jenkins-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - jenkins-build-server - untrusted-deserialization: - - category: untrusted-deserialization - severity: elevated - exploitation_likelihood: likely - exploitation_impact: very-high - title: Untrusted Deserialization risk at Jenkins Buildserver - synthetic_id: untrusted-deserialization@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_probability: probable - data_breach_technical_assets: - - jenkins-build-server - - category: untrusted-deserialization - risk_status: accepted - severity: elevated - exploitation_likelihood: likely - exploitation_impact: very-high - title: Untrusted Deserialization risk at Backoffice ERP System - synthetic_id: untrusted-deserialization@erp-system - most_relevant_technical_asset: erp-system - data_breach_probability: probable - data_breach_technical_assets: - - erp-system - xml-external-entity: - - category: xml-external-entity - severity: high - exploitation_likelihood: very-likely - exploitation_impact: high - title: XML External Entity (XXE) risk at Backoffice ERP System - synthetic_id: xml-external-entity@erp-system - most_relevant_technical_asset: erp-system - data_breach_probability: probable - data_breach_technical_assets: - - erp-system -generated_risks_by_synthetic_id: - accidental-secret-leak@git-repo: - category: accidental-secret-leak - severity: medium - exploitation_impact: high - title: 'Accidental Secret Leak (Git) risk at Git Repository: Git Leak Prevention' - synthetic_id: accidental-secret-leak@git-repo - most_relevant_technical_asset: git-repo - data_breach_probability: probable - data_breach_technical_assets: - - git-repo - code-backdooring@git-repo: - category: code-backdooring - severity: medium - exploitation_impact: high - title: Code Backdooring risk at Git Repository - synthetic_id: code-backdooring@git-repo - most_relevant_technical_asset: git-repo - data_breach_probability: probable - data_breach_technical_assets: - - git-repo - code-backdooring@jenkins-build-server: - category: code-backdooring - severity: medium - exploitation_impact: high - title: Code Backdooring risk at Jenkins Buildserver - synthetic_id: code-backdooring@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_probability: probable - data_breach_technical_assets: - - marketing-cms - - jenkins-build-server - - apache-webserver - container-baseimage-backdooring@apache-webserver: - category: container-baseimage-backdooring - severity: medium - exploitation_impact: high - title: Container Base Image Backdooring risk at Apache Webserver - synthetic_id: container-baseimage-backdooring@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - container-baseimage-backdooring@marketing-cms: - category: container-baseimage-backdooring - severity: medium - exploitation_impact: high - title: Container Base Image Backdooring risk at Marketing CMS - synthetic_id: container-baseimage-backdooring@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_probability: probable - data_breach_technical_assets: - - marketing-cms - cross-site-request-forgery@apache-webserver@load-balancer>web-application-traffic: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Apache Webserver via Web Application Traffic from Load Balancer - synthetic_id: cross-site-request-forgery@apache-webserver@load-balancer>web-application-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: load-balancer>web-application-traffic - data_breach_technical_assets: - - apache-webserver - cross-site-request-forgery@erp-system@apache-webserver>erp-system-traffic: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Backoffice ERP System via ERP System Traffic from Apache Webserver - synthetic_id: cross-site-request-forgery@erp-system@apache-webserver>erp-system-traffic - most_relevant_technical_asset: erp-system - most_relevant_communication_link: apache-webserver>erp-system-traffic - data_breach_technical_assets: - - erp-system - cross-site-request-forgery@erp-system@backend-admin-client>erp-web-access: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: likely - title: Cross-Site Request Forgery (CSRF) risk at Backoffice ERP System via ERP Web Access from Backend Admin Client - synthetic_id: cross-site-request-forgery@erp-system@backend-admin-client>erp-web-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backend-admin-client>erp-web-access - data_breach_technical_assets: - - erp-system - cross-site-request-forgery@erp-system@backoffice-client>erp-internal-access: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Backoffice ERP System via ERP Internal Access from Backoffice Client - synthetic_id: cross-site-request-forgery@erp-system@backoffice-client>erp-internal-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backoffice-client>erp-internal-access - data_breach_technical_assets: - - erp-system - cross-site-request-forgery@identity-provider@apache-webserver>auth-credential-check-traffic: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Identity Provider via Auth Credential Check Traffic from Apache Webserver - synthetic_id: cross-site-request-forgery@identity-provider@apache-webserver>auth-credential-check-traffic - most_relevant_technical_asset: identity-provider - most_relevant_communication_link: apache-webserver>auth-credential-check-traffic - data_breach_technical_assets: - - identity-provider - cross-site-request-forgery@marketing-cms@backoffice-client>marketing-cms-editing: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Marketing CMS via Marketing CMS Editing from Backoffice Client - synthetic_id: cross-site-request-forgery@marketing-cms@backoffice-client>marketing-cms-editing - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: backoffice-client>marketing-cms-editing - data_breach_technical_assets: - - marketing-cms - cross-site-request-forgery@marketing-cms@load-balancer>cms-content-traffic: - category: cross-site-request-forgery - severity: medium - exploitation_likelihood: very-likely - title: Cross-Site Request Forgery (CSRF) risk at Marketing CMS via CMS Content Traffic from Load Balancer - synthetic_id: cross-site-request-forgery@marketing-cms@load-balancer>cms-content-traffic - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: load-balancer>cms-content-traffic - data_breach_technical_assets: - - marketing-cms - cross-site-scripting@apache-webserver: - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Apache Webserver - synthetic_id: cross-site-scripting@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - cross-site-scripting@erp-system: - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Backoffice ERP System - synthetic_id: cross-site-scripting@erp-system - most_relevant_technical_asset: erp-system - data_breach_probability: possible - data_breach_technical_assets: - - erp-system - cross-site-scripting@identity-provider: - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Identity Provider - synthetic_id: cross-site-scripting@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_probability: possible - data_breach_technical_assets: - - identity-provider - cross-site-scripting@marketing-cms: - category: cross-site-scripting - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Cross-Site Scripting (XSS) risk at Marketing CMS - synthetic_id: cross-site-scripting@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client>customer-traffic: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of Apache Webserver by Customer Web Client via Customer Traffic forwarded via Load Balancer - synthetic_id: dos-risky-access-across-trust-boundary@apache-webserver@customer-client@customer-client>customer-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: customer-client>customer-traffic - dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver>erp-system-traffic: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of Backoffice ERP System by Apache Webserver via ERP System Traffic - synthetic_id: dos-risky-access-across-trust-boundary@erp-system@apache-webserver@apache-webserver>erp-system-traffic - most_relevant_technical_asset: erp-system - most_relevant_communication_link: apache-webserver>erp-system-traffic - dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client>erp-internal-access: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of Backoffice ERP System by Backoffice Client via ERP Internal Access - synthetic_id: dos-risky-access-across-trust-boundary@erp-system@backoffice-client@backoffice-client>erp-internal-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backoffice-client>erp-internal-access - dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver>auth-credential-check-traffic: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of Identity Provider by Apache Webserver via Auth Credential Check Traffic - synthetic_id: dos-risky-access-across-trust-boundary@identity-provider@apache-webserver@apache-webserver>auth-credential-check-traffic - most_relevant_technical_asset: identity-provider - most_relevant_communication_link: apache-webserver>auth-credential-check-traffic - dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms>auth-traffic: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of LDAP Auth Server by Marketing CMS via Auth Traffic - synthetic_id: dos-risky-access-across-trust-boundary@ldap-auth-server@marketing-cms@marketing-cms>auth-traffic - most_relevant_technical_asset: ldap-auth-server - most_relevant_communication_link: marketing-cms>auth-traffic - dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client>marketing-cms-editing: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of Marketing CMS by Backoffice Client via Marketing CMS Editing - synthetic_id: dos-risky-access-across-trust-boundary@marketing-cms@backoffice-client@backoffice-client>marketing-cms-editing - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: backoffice-client>marketing-cms-editing - dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client>customer-traffic: - category: dos-risky-access-across-trust-boundary - title: Denial-of-Service risky access of Marketing CMS by Customer Web Client via Customer Traffic forwarded via Load Balancer - synthetic_id: dos-risky-access-across-trust-boundary@marketing-cms@customer-client@customer-client>customer-traffic - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: customer-client>customer-traffic - ldap-injection@identity-provider@ldap-auth-server@identity-provider>ldap-credential-check-traffic: - category: ldap-injection - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: LDAP-Injection risk at Identity Provider against LDAP server LDAP Auth Server via LDAP Credential Check Traffic - synthetic_id: ldap-injection@identity-provider@ldap-auth-server@identity-provider>ldap-credential-check-traffic - most_relevant_technical_asset: identity-provider - most_relevant_communication_link: identity-provider>ldap-credential-check-traffic - data_breach_probability: probable - data_breach_technical_assets: - - ldap-auth-server - ldap-injection@marketing-cms@ldap-auth-server@marketing-cms>auth-traffic: - category: ldap-injection - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: LDAP-Injection risk at Marketing CMS against LDAP server LDAP Auth Server via Auth Traffic - synthetic_id: ldap-injection@marketing-cms@ldap-auth-server@marketing-cms>auth-traffic - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: marketing-cms>auth-traffic - data_breach_probability: probable - data_breach_technical_assets: - - ldap-auth-server - missing-authentication@backend-admin-client>db-update-access@backend-admin-client@sql-database: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link DB Update Access from Backend Admin Client to Customer Contract Database - synthetic_id: missing-authentication@backend-admin-client>db-update-access@backend-admin-client@sql-database - most_relevant_technical_asset: sql-database - most_relevant_communication_link: backend-admin-client>db-update-access - data_breach_probability: possible - data_breach_technical_assets: - - sql-database - missing-authentication@backend-admin-client>erp-web-access@backend-admin-client@erp-system: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link ERP Web Access from Backend Admin Client to Backoffice ERP System - synthetic_id: missing-authentication@backend-admin-client>erp-web-access@backend-admin-client@erp-system - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backend-admin-client>erp-web-access - data_breach_probability: possible - data_breach_technical_assets: - - erp-system - missing-authentication@backend-admin-client>user-management-access@backend-admin-client@ldap-auth-server: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link User Management Access from Backend Admin Client to LDAP Auth Server - synthetic_id: missing-authentication@backend-admin-client>user-management-access@backend-admin-client@ldap-auth-server - most_relevant_technical_asset: ldap-auth-server - most_relevant_communication_link: backend-admin-client>user-management-access - data_breach_probability: possible - data_breach_technical_assets: - - ldap-auth-server - missing-authentication@backoffice-client>erp-internal-access@backoffice-client@erp-system: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link ERP Internal Access from Backoffice Client to Backoffice ERP System - synthetic_id: missing-authentication@backoffice-client>erp-internal-access@backoffice-client@erp-system - most_relevant_technical_asset: erp-system - most_relevant_communication_link: backoffice-client>erp-internal-access - data_breach_probability: possible - data_breach_technical_assets: - - erp-system - missing-authentication@erp-system>nfs-filesystem-access@erp-system@contract-file-server: - category: missing-authentication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Authentication covering communication link NFS Filesystem Access from Backoffice ERP System to Contract Fileserver - synthetic_id: missing-authentication@erp-system>nfs-filesystem-access@erp-system@contract-file-server - most_relevant_technical_asset: contract-file-server - most_relevant_communication_link: erp-system>nfs-filesystem-access - data_breach_probability: possible - data_breach_technical_assets: - - contract-file-server - missing-authentication@external-dev-client>git-repo-code-write-access@external-dev-client@git-repo: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Git-Repo Code Write Access from External Development Client to Git Repository - synthetic_id: missing-authentication@external-dev-client>git-repo-code-write-access@external-dev-client@git-repo - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-code-write-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - missing-authentication@external-dev-client>git-repo-web-ui-access@external-dev-client@git-repo: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Git-Repo Web-UI Access from External Development Client to Git Repository - synthetic_id: missing-authentication@external-dev-client>git-repo-web-ui-access@external-dev-client@git-repo - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - missing-authentication@external-dev-client>jenkins-web-ui-access@external-dev-client@jenkins-build-server: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Jenkins Web-UI Access from External Development Client to Jenkins Buildserver - synthetic_id: missing-authentication@external-dev-client>jenkins-web-ui-access@external-dev-client@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - most_relevant_communication_link: external-dev-client>jenkins-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - jenkins-build-server - missing-authentication@load-balancer>cms-content-traffic@load-balancer@marketing-cms: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link CMS Content Traffic from Customer Web Client forwarded via Load Balancer to Marketing CMS - synthetic_id: missing-authentication@load-balancer>cms-content-traffic@load-balancer@marketing-cms - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: load-balancer>cms-content-traffic - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - missing-authentication@load-balancer>web-application-traffic@load-balancer@apache-webserver: - category: missing-authentication - severity: medium - exploitation_impact: medium - title: Missing Two-Factor Authentication covering communication link Web Application Traffic from Customer Web Client forwarded via Load Balancer to Apache Webserver - synthetic_id: missing-authentication@load-balancer>web-application-traffic@load-balancer@apache-webserver - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: load-balancer>web-application-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - missing-cloud-hardening@apache-webserver: - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: 'Missing Cloud Hardening (EC2) risk at Apache Webserver: CIS Benchmark for Amazon Linux' - synthetic_id: missing-cloud-hardening@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - missing-cloud-hardening@application-network: - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: 'Missing Cloud Hardening (AWS) risk at Application Network: CIS Benchmark for AWS' - synthetic_id: missing-cloud-hardening@application-network - most_relevant_trust_boundary: application-network - data_breach_probability: probable - data_breach_technical_assets: - - load-balancer - - apache-webserver - - marketing-cms - - erp-system - - contract-file-server - - sql-database - - identity-provider - - ldap-auth-server - missing-cloud-hardening@contract-file-server: - category: missing-cloud-hardening - severity: medium - exploitation_impact: high - title: 'Missing Cloud Hardening (S3) risk at Contract Fileserver: Security Best Practices for AWS S3' - synthetic_id: missing-cloud-hardening@contract-file-server - most_relevant_technical_asset: contract-file-server - data_breach_probability: probable - data_breach_technical_assets: - - contract-file-server - missing-cloud-hardening@erp-dmz: - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: Missing Cloud Hardening risk at ERP DMZ - synthetic_id: missing-cloud-hardening@erp-dmz - most_relevant_trust_boundary: erp-dmz - data_breach_probability: probable - data_breach_technical_assets: - - erp-system - - contract-file-server - - sql-database - missing-cloud-hardening@web-dmz: - category: missing-cloud-hardening - severity: elevated - exploitation_impact: very-high - title: Missing Cloud Hardening risk at Web DMZ - synthetic_id: missing-cloud-hardening@web-dmz - most_relevant_trust_boundary: web-dmz - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - - marketing-cms - missing-file-validation@apache-webserver: - category: missing-file-validation - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Missing File Validation risk at Apache Webserver - synthetic_id: missing-file-validation@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_probability: probable - data_breach_technical_assets: - - apache-webserver - missing-hardening@apache-webserver: - category: missing-hardening - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Apache Webserver - synthetic_id: missing-hardening@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - missing-hardening@erp-system: - category: missing-hardening - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Backoffice ERP System - synthetic_id: missing-hardening@erp-system - most_relevant_technical_asset: erp-system - data_breach_technical_assets: - - erp-system - missing-hardening@identity-provider: - category: missing-hardening - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Identity Provider - synthetic_id: missing-hardening@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_technical_assets: - - identity-provider - missing-hardening@jenkins-build-server: - category: missing-hardening - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Jenkins Buildserver - synthetic_id: missing-hardening@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_technical_assets: - - jenkins-build-server - missing-hardening@ldap-auth-server: - category: missing-hardening - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at LDAP Auth Server - synthetic_id: missing-hardening@ldap-auth-server - most_relevant_technical_asset: ldap-auth-server - data_breach_technical_assets: - - ldap-auth-server - missing-hardening@sql-database: - category: missing-hardening - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Missing Hardening risk at Customer Contract Database - synthetic_id: missing-hardening@sql-database - most_relevant_technical_asset: sql-database - data_breach_technical_assets: - - sql-database - missing-identity-propagation@apache-webserver>erp-system-traffic@apache-webserver@erp-system: - category: missing-identity-propagation - severity: medium - exploitation_impact: medium - title: Missing End User Identity Propagation over communication link ERP System Traffic from Apache Webserver to Backoffice ERP System - synthetic_id: missing-identity-propagation@apache-webserver>erp-system-traffic@apache-webserver@erp-system - most_relevant_technical_asset: erp-system - most_relevant_communication_link: apache-webserver>erp-system-traffic - data_breach_technical_assets: - - erp-system - missing-network-segmentation@apache-webserver: - category: missing-network-segmentation - severity: medium - exploitation_impact: medium - title: Missing Network Segmentation to further encapsulate and protect Apache Webserver against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers - synthetic_id: missing-network-segmentation@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - missing-network-segmentation@jenkins-build-server: - category: missing-network-segmentation - severity: medium - exploitation_impact: medium - title: Missing Network Segmentation to further encapsulate and protect Jenkins Buildserver against unrelated lower protected assets in the same network segment, which might be easier to compromise by attackers - synthetic_id: missing-network-segmentation@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_technical_assets: - - jenkins-build-server - missing-vault@erp-system: - category: missing-vault - severity: medium - exploitation_impact: medium - title: Missing Vault (Secret Storage) in the threat model (referencing asset Backoffice ERP System as an example) - synthetic_id: missing-vault@erp-system - most_relevant_technical_asset: erp-system - missing-waf@apache-webserver: - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Apache Webserver - synthetic_id: missing-waf@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - missing-waf@erp-system: - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Backoffice ERP System - synthetic_id: missing-waf@erp-system - most_relevant_technical_asset: erp-system - data_breach_technical_assets: - - erp-system - missing-waf@identity-provider: - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Identity Provider - synthetic_id: missing-waf@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_technical_assets: - - identity-provider - missing-waf@marketing-cms: - category: missing-waf - severity: medium - exploitation_impact: medium - title: Missing Web Application Firewall (WAF) risk at Marketing CMS - synthetic_id: missing-waf@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_technical_assets: - - marketing-cms - mixed-targets-on-shared-runtime@webapp-virtualization: - category: mixed-targets-on-shared-runtime - severity: medium - exploitation_impact: medium - title: Mixed Targets on Shared Runtime named WebApp and Backoffice Virtualization might enable attackers moving from one less valuable target to a more valuable one - synthetic_id: mixed-targets-on-shared-runtime@webapp-virtualization - most_relevant_shared_runtime: webapp-virtualization - data_breach_technical_assets: - - apache-webserver - - marketing-cms - - erp-system - - contract-file-server - - sql-database - path-traversal@erp-system@contract-file-server@erp-system>nfs-filesystem-access: - category: path-traversal - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Path-Traversal risk at Backoffice ERP System against filesystem Contract Fileserver via NFS Filesystem Access - synthetic_id: path-traversal@erp-system@contract-file-server@erp-system>nfs-filesystem-access - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>nfs-filesystem-access - data_breach_probability: probable - data_breach_technical_assets: - - contract-file-server - push-instead-of-pull-deployment@jenkins-build-server: - category: push-instead-of-pull-deployment - severity: medium - exploitation_impact: medium - title: Push instead of Pull Deployment at Marketing CMS via build pipeline asset Jenkins Buildserver - synthetic_id: push-instead-of-pull-deployment@jenkins-build-server - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: jenkins-build-server>cms-updates - data_breach_technical_assets: - - marketing-cms - server-side-request-forgery@apache-webserver@erp-system@apache-webserver>erp-system-traffic: - category: server-side-request-forgery - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Server-Side Request Forgery (SSRF) risk at Apache Webserver server-side web-requesting the target Backoffice ERP System via ERP System Traffic - synthetic_id: server-side-request-forgery@apache-webserver@erp-system@apache-webserver>erp-system-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: apache-webserver>erp-system-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - - marketing-cms - server-side-request-forgery@apache-webserver@identity-provider@apache-webserver>auth-credential-check-traffic: - category: server-side-request-forgery - severity: elevated - exploitation_likelihood: likely - exploitation_impact: medium - title: Server-Side Request Forgery (SSRF) risk at Apache Webserver server-side web-requesting the target Identity Provider via Auth Credential Check Traffic - synthetic_id: server-side-request-forgery@apache-webserver@identity-provider@apache-webserver>auth-credential-check-traffic - most_relevant_technical_asset: apache-webserver - most_relevant_communication_link: apache-webserver>auth-credential-check-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - - marketing-cms - something-strange@contract-file-server: - category: something-strange - severity: medium - exploitation_likelihood: frequent - exploitation_impact: very-high - title: Example Individual Risk at Contract Filesystem - synthetic_id: something-strange@contract-file-server - most_relevant_technical_asset: contract-file-server - something-strange@sql-database: - category: something-strange - severity: critical - exploitation_likelihood: likely - exploitation_impact: medium - title: Example Individual Risk at Database - synthetic_id: something-strange@sql-database - most_relevant_technical_asset: sql-database - data_breach_probability: probable - data_breach_technical_assets: - - sql-database - sql-nosql-injection@erp-system@sql-database@erp-system>database-traffic: - category: sql-nosql-injection - severity: high - exploitation_likelihood: very-likely - exploitation_impact: high - title: SQL/NoSQL-Injection risk at Backoffice ERP System against database Customer Contract Database via Database Traffic - synthetic_id: sql-nosql-injection@erp-system@sql-database@erp-system>database-traffic - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>database-traffic - data_breach_probability: probable - data_breach_technical_assets: - - sql-database - unchecked-deployment@external-dev-client: - category: unchecked-deployment - severity: medium - exploitation_impact: medium - title: Unchecked Deployment risk at External Development Client - synthetic_id: unchecked-deployment@external-dev-client - most_relevant_technical_asset: external-dev-client - data_breach_probability: possible - data_breach_technical_assets: - - external-dev-client - - git-repo - - jenkins-build-server - unchecked-deployment@git-repo: - category: unchecked-deployment - title: Unchecked Deployment risk at Git Repository - synthetic_id: unchecked-deployment@git-repo - most_relevant_technical_asset: git-repo - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - unchecked-deployment@jenkins-build-server: - category: unchecked-deployment - severity: medium - exploitation_impact: medium - title: Unchecked Deployment risk at Jenkins Buildserver - synthetic_id: unchecked-deployment@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_probability: possible - data_breach_technical_assets: - - marketing-cms - - jenkins-build-server - - apache-webserver - unencrypted-asset@apache-webserver: - category: unencrypted-asset - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Apache Webserver - synthetic_id: unencrypted-asset@apache-webserver - most_relevant_technical_asset: apache-webserver - data_breach_technical_assets: - - apache-webserver - unencrypted-asset@contract-file-server: - category: unencrypted-asset - severity: medium - exploitation_impact: medium - title: Unencrypted Technical Asset named Contract Fileserver - synthetic_id: unencrypted-asset@contract-file-server - most_relevant_technical_asset: contract-file-server - data_breach_technical_assets: - - contract-file-server - unencrypted-asset@erp-system: - category: unencrypted-asset - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Backoffice ERP System missing end user individual encryption with data-with-end-user-individual-key - synthetic_id: unencrypted-asset@erp-system - most_relevant_technical_asset: erp-system - data_breach_technical_assets: - - erp-system - unencrypted-asset@git-repo: - category: unencrypted-asset - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Git Repository - synthetic_id: unencrypted-asset@git-repo - most_relevant_technical_asset: git-repo - data_breach_technical_assets: - - git-repo - unencrypted-asset@identity-provider: - category: unencrypted-asset - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Identity Provider - synthetic_id: unencrypted-asset@identity-provider - most_relevant_technical_asset: identity-provider - data_breach_technical_assets: - - identity-provider - unencrypted-asset@jenkins-build-server: - category: unencrypted-asset - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Jenkins Buildserver - synthetic_id: unencrypted-asset@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_technical_assets: - - jenkins-build-server - unencrypted-asset@marketing-cms: - category: unencrypted-asset - severity: medium - exploitation_impact: high - title: Unencrypted Technical Asset named Marketing CMS - synthetic_id: unencrypted-asset@marketing-cms - most_relevant_technical_asset: marketing-cms - data_breach_technical_assets: - - marketing-cms - unencrypted-asset@sql-database: - category: unencrypted-asset - severity: medium - exploitation_impact: medium - title: Unencrypted Technical Asset named Customer Contract Database missing end user individual encryption with data-with-end-user-individual-key - synthetic_id: unencrypted-asset@sql-database - most_relevant_technical_asset: sql-database - data_breach_technical_assets: - - sql-database - unencrypted-communication@erp-system>database-traffic@erp-system@sql-database: - category: unencrypted-communication - severity: medium - exploitation_impact: high - title: Unencrypted Communication named Database Traffic between Backoffice ERP System and Customer Contract Database transferring authentication data (like credentials, token, session-id, etc.) - synthetic_id: unencrypted-communication@erp-system>database-traffic@erp-system@sql-database - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>database-traffic - data_breach_probability: possible - data_breach_technical_assets: - - sql-database - unencrypted-communication@erp-system>nfs-filesystem-access@erp-system@contract-file-server: - category: unencrypted-communication - severity: medium - exploitation_impact: medium - title: Unencrypted Communication named NFS Filesystem Access between Backoffice ERP System and Contract Fileserver - synthetic_id: unencrypted-communication@erp-system>nfs-filesystem-access@erp-system@contract-file-server - most_relevant_technical_asset: erp-system - most_relevant_communication_link: erp-system>nfs-filesystem-access - data_breach_probability: possible - data_breach_technical_assets: - - contract-file-server - unencrypted-communication@load-balancer>web-application-traffic@load-balancer@apache-webserver: - category: unencrypted-communication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Unencrypted Communication named Web Application Traffic between Load Balancer and Apache Webserver transferring authentication data (like credentials, token, session-id, etc.) - synthetic_id: unencrypted-communication@load-balancer>web-application-traffic@load-balancer@apache-webserver - most_relevant_technical_asset: load-balancer - most_relevant_communication_link: load-balancer>web-application-traffic - data_breach_probability: possible - data_breach_technical_assets: - - apache-webserver - unencrypted-communication@marketing-cms>auth-traffic@marketing-cms@ldap-auth-server: - category: unencrypted-communication - severity: elevated - exploitation_likelihood: likely - exploitation_impact: high - title: Unencrypted Communication named Auth Traffic between Marketing CMS and LDAP Auth Server transferring authentication data (like credentials, token, session-id, etc.) - synthetic_id: unencrypted-communication@marketing-cms>auth-traffic@marketing-cms@ldap-auth-server - most_relevant_technical_asset: marketing-cms - most_relevant_communication_link: marketing-cms>auth-traffic - data_breach_probability: possible - data_breach_technical_assets: - - ldap-auth-server - unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client>git-repo-code-write-access: - category: unguarded-access-from-internet - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Unguarded Access from Internet of Git Repository by External Development Client via Git-Repo Code Write Access - synthetic_id: unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client>git-repo-code-write-access - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-code-write-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client>git-repo-web-ui-access: - category: unguarded-access-from-internet - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Unguarded Access from Internet of Git Repository by External Development Client via Git-Repo Web-UI Access - synthetic_id: unguarded-access-from-internet@git-repo@external-dev-client@external-dev-client>git-repo-web-ui-access - most_relevant_technical_asset: git-repo - most_relevant_communication_link: external-dev-client>git-repo-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - git-repo - unguarded-access-from-internet@jenkins-build-server@external-dev-client@external-dev-client>jenkins-web-ui-access: - category: unguarded-access-from-internet - severity: elevated - exploitation_likelihood: very-likely - exploitation_impact: medium - title: Unguarded Access from Internet of Jenkins Buildserver by External Development Client via Jenkins Web-UI Access - synthetic_id: unguarded-access-from-internet@jenkins-build-server@external-dev-client@external-dev-client>jenkins-web-ui-access - most_relevant_technical_asset: jenkins-build-server - most_relevant_communication_link: external-dev-client>jenkins-web-ui-access - data_breach_probability: possible - data_breach_technical_assets: - - jenkins-build-server - untrusted-deserialization@erp-system: - category: untrusted-deserialization - severity: elevated - exploitation_likelihood: likely - exploitation_impact: very-high - title: Untrusted Deserialization risk at Backoffice ERP System - synthetic_id: untrusted-deserialization@erp-system - most_relevant_technical_asset: erp-system - data_breach_probability: probable - data_breach_technical_assets: - - erp-system - untrusted-deserialization@jenkins-build-server: - category: untrusted-deserialization - severity: elevated - exploitation_likelihood: likely - exploitation_impact: very-high - title: Untrusted Deserialization risk at Jenkins Buildserver - synthetic_id: untrusted-deserialization@jenkins-build-server - most_relevant_technical_asset: jenkins-build-server - data_breach_probability: probable - data_breach_technical_assets: - - jenkins-build-server - xml-external-entity@erp-system: - category: xml-external-entity - severity: high - exploitation_likelihood: very-likely - exploitation_impact: high - title: XML External Entity (XXE) risk at Backoffice ERP System - synthetic_id: xml-external-entity@erp-system - most_relevant_technical_asset: erp-system - data_breach_probability: probable - data_breach_technical_assets: - - erp-system