-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Threat Evaluation Improvements: Simplify conditions and first step toward detecting mitigations #152
Comments
But wouldn't that amount to having two different conditions, effectively? We already have one check for a target type ("things that only happen in servers") and then we should have the other constraints expressed in Threat.condition. |
Ok "simplify" is arguable and maybe the wrong choice. To capture valid applicable threats target type isn't enough so currently for some threats the threat condition is both a target condition and weakness condition. In my mind breaking these up into separate condition fields simplifies the current usage. Also allows us to identify truly applicable threats where positive annotations prevented a Finding. |
Playing devil's advocate here, can't the condition be written as an and between those two fields and go with a single field still, or would that lead to duplication of rules? |
Of course it could be a single field since that is the way it works today, using my example of INP01 I did split up its AND condition using the 2 fields. Today if INP01 is not identified I don't know if it is because they did not annotate that they are using env vars or because they had indicated that they have sanitization or checkBounds. |
I guess I'll need to see a full example. I keep thinking back to the quality of rules. |
|
NOZ04 doesn't currently work |
Thanks, that helps. So, I am still not sold on the need to make it into two separate conditions. I think the semantics of the thing is tripping me. Why do I need condition_1 = "foo is True" and condition_2 = "bar is True" instead of condition (foo is True and bar is True" ? |
If the complementary report could separate out 1. You are not doing a 'thing' and 2. You are doing a 'thing' and you are doing it correctly. You cannot do this without having 2 conditions. This was what I was going after. By adding this doesn't mean it must be used, some cases target_condition could be blank in that it impacts all of that type or for more complicated 'or' checks with multiple pairs of target condition and mitigating controls it may still need to be 1 condition or may need to be 2 threats. For some simple threats this doesn't apply but if you look at the conditions for a portion of the lib there are positive checks mixed with negative checks so this is already happening but the user is forced to define as a single condition. |
I'm warming up to the idea. @colesmj ? |
I separated this comment out since the above is directly related to this change and below is more where my head was at, what I could see in the future and another reason why this would be needed. -- If this were implemented future steps in my head would be to position condition to be mitigation condition and instead of being written as Here is a basic example, don't get hung up on the exact condition logic below just the spirit of change for now and why separating out target condition from mitigating control conditions could make sense. SQLi |
When using pytm to find threats I found most threats do not apply which would require me to re-write conditions to detect applicable components. Instead to address this I added a new condition to the threatlib called 'target_condition" to detect if the target is relevant for the Threat. For example using INP01 : Buffer Overflow via Environment Variables I have a target_condition of 'target.usesEnvironmentVariables' with the 'condition' of
target.sanitizesInput is False and target.checksInputBounds is False
another example would be applying SQLi to a Server or Process only if one of the outbound data flows as a sink of Database and isSQL = True.This is basically what I was getting after with #14 although i described it differently.
To be able to see this in report and ensure the target conditions are valid I have taken a step towards detecting mitigations. When applying a threat I have created a ThreatResult class for invalid target, not applicable threats (target_condition = False), mitigated (target_condition == True and condition == False) and Valid. Added lists of Threats for na, mitigated threats in Element.
Things are mostly functional locally but still playing with a few things. I would like to get anyones thoughts as I continue with this.
The text was updated successfully, but these errors were encountered: