Threagile also supports live editing templates and a schema for the YAML file for auto-completion and syntax checking in IDEs.” Schneider added: “Major IDEs also have code-like features for YAML-like autocompletion and schema checking.
SDL THREAT MODELING TOOL TEMPLATE CODE
“The declarative threat model data is just text” – a YAML file that offers “checking-in into GitHub along with the source-tree, diffing, collaboration, etc, plus being readable than pure source code humans”. To achieve continuous modelling, Threagile adopts the threat-model-as-code paradigm by combining the “best of both worlds”, says Schneider. Running as a command line or a REST server on-premises and generating JSON output simplifies the tool’s integration “into AppSec CI/CD-Pipelines”, he told The Daily Swig ahead of his presentation. Threagile, which can be executed as a simple Docker container, is very much DevSecOps-ready, says Schneider. The upshot is reports on identified risks, their severity, mitigation steps, and the risk tracking state, as Schnieder explains in the video below, where he repeats his Arsenal session for DEF CON. When the toolkit is executed, 40 built-in risk rules – and any custom rules created – are checked against the architecture model. Publicly released on GitHub and Docker on Tuesday (August 4), Threagile models its architecture and assets as a YAML file directly inside the integrated development environment (IDE). Read more of the latest Black Hat 2020 news He unveiled such a toolkit, the open-source Threagile, during yesterday's arsenal track at Black Hat 2020, which was held online due to the coronavirus pandemic. Therefore, Schneider implies, new tools are needed for agile threat modelling. Used alone, says DevSecOps trainer and security architect Christian Schneider, classic threat modeling is unacceptably static in an evolving risk landscape, especially given the routine use of automatic security scans during pipeline-as-code development. UPDATED ‘Threat modelling as code’ is poised to supplant whiteboard diagrams as the definitive AppSec risk mapping paradigm, Black Hat USA attendees heard yesterday. Whiteboards are no longer adequate for modeling AppSec threats
0 kommentar(er)
