-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guidance or examples on Classification #260
Comments
I really like this question since at first I thought is it not obvious, but when I looked at my references I was not able to find a good short explanation on how to add classification labels for data or how to use these labels in threat modeling. I found NIST IR 8496 Chapter 3 which describes the idea of classification of data. What I always like to recommend is Chapter 8 Mandatory Access Control by Fred B. Schneider. This describes the basic idea of MLS and how the ordering of labels can be used for access control. I looked into what is written on data classification and threat modeling and really could not find any good resources. But sadly I found nothing about how labels can be used in threat modelling. What is currently in pytm follows the simple MLS structure first. Lines 322 to 328 in 2a37d1e
Even the rule in Lines 1933 to 1939 in 2a37d1e
I usually suggested to new threat modellers to follow a similar simple approach first pick a simple labeling, numbers between 1 to 5 on how important a piece of data is. But I think it would be good to have better guidance for data classification in regards to threat modelling. While writing this I was wondering if the current implementation in pytm might be improved.
Not sure how helpful my reply is to your question, but it made me think and I had to write this down. |
Adding @nineinchnick, to ask do you remember why you choose the classification? |
I remember I did some research, just to get some ideas about the level names, but I don't have any specific reference. It's very likely I got some ideas from Wikipedia, which should not be used as a reference anyway. I think they were supposed to be practical - offering a good enough range so it's easy to classify components of existing systems.
I'd always recommend that |
Also, an important note - I've been using a custom threats database. There's no strong relationship between the default database provided by pytm and the properties used in building the model. IMO, all threats should be very well-defined in a particular domain, there's no generic database that would apply everywhere. |
First of all excellent tool!
In some of the examples I have begun to build I see a lot of DS06 - Data Leak threats.
I see from the source code that the method hasDataLeaks() compares the classification of data in the dataflow sink and source to the classification of the data that is being transmitted, which seems to make sense.
Is there any guidance / examples / OWASP documentation on how one should model the classification in data and data flows?
I could contribute with an example when I get this figured out.
The text was updated successfully, but these errors were encountered: