Threat Modeling
Manual for documenting threat models in Ketryx using custom item types
Last updated
Was this helpful?
Manual for documenting threat models in Ketryx using custom item types
Last updated
Was this helpful?
Threat modeling is a structured approach to identifying and addressing potential threats to a system. This manual provides guidance on how to document your threat model using Ketryx with .
The purpose of this manual is to instruct users on how to use Ketryx for documenting threat models, focusing on the STRIDE methodology.
This manual describes how to use Ketryx to document threat models in a system. It is intended for users who are responsible for identifying and mitigating threats to a system.
AAMI TIR57: 2016/(R)2019: Principles for medical device security β Risk management
AAMI
Association for the Advancement of Medical Instrumentation
STRIDE
A threat modeling framework that categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege
TIR
Technical Information Report
Additionally, you need to have the following item types set up in your Jira project and map them to the custom item types in Ketryx: Threat, Asset, Threat Source, Threat Surface, and Trust Boundary.
Once you have a project set up, you can start using threat modeling. The following sections describe how to set up the custom item types and map them to the Jira item types.
To activate the threat modeling feature, go the Advanced Settings in your project or organization, and enable the Enable threat modeling setting.
Then, go the Advanced Settings in your organization, and copy the configuration below and paste it into the corresponding fields:
The custom item types used for threat modeling are as follows:
Asset: Represents an asset in the system.
Threat: Represents a threat to the system.
Threat Source: Represents a source of a threat.
Threat Surface: Represents a part of the system that is vulnerable to a threat.
Trust Boundary: Represents a boundary that separates the system from external entities.
For all item types, to make them so-called long-lived items, add the following fields:
Introduced in version: The first version this item is effective in. If empty, the item is considered effective from the start of the project.
Obsolete in version: The version in which the item is no longer relevant. If empty, the item is considered effective in all versions starting with its introducing version.
For the Asset item type, add the following fields:
Introduced risks: The risks introduced by the asset.
Impacted threats: The threats impacted by the asset.
Exposed by threat surface: The threat surfaces that expose the asset.
For the Threat item type, add the following fields:
Introduced risks: The risks introduced by the threat.
For the Threat Source item type, add the following fields:
Initiated threats: The threats initiated by the source.
For the Threat Surface item type, add the following fields:
Contained in trust boundary: The trust boundary that contains the threat surface.
By default, custom item types come with no approval rules configured. To do this go to Settings > Approval rules in the project you are setting up and add the necessary rules for the item types you have created.
Not depicted in the diagram are the trust boundary and the threat source, two key concepts in threat modeling. The threat source refers to the origin of potential threats, such as external attackers, malware, or even internal actors that could exploit vulnerabilities in your system. While the diagram doesn't explicitly show the threat source, it is conceptually positioned outside or adjacent to the Threat element, indicating where these threats originate and how they begin to interact with your system.
The trust boundary is the line that separates different areas of trust within your system. It delineates the point where data or control passes from one trust level to anotherβtypically from a more trusted to a less trusted zone or vice versa. In the context of the diagram, the trust boundary would be situated around the Threat Surface. This is because the threat surface represents the areas of the system that are exposed to interactions from outside the trusted boundary, where threats can exploit vulnerabilities.
The trust boundary is crucial because it defines where the system's security controls shift or where different security assumptions apply. External threats, crossing this boundary at the threat surface, pose a risk to the assets inside the system, and this is where the vulnerabilities are most likely to be exploited. Understanding the placement of the trust boundary helps in identifying the specific points where additional security measures may be needed to protect against threats originating from less trusted sources.
Within Ketryx, vulnerabilities can be linked to threats. In Jira, all the other item types can be linked to each other.
To use threat modeling, you need to have a project set up in Ketryx Software Supply Chain Management. If you don't have a project set up, follow the instructions in .
First, you need to in Ketryx and configure it to map the custom item types to the ones created in Jira. This can be done using the called , and .
Please refer to for more information on how to configure
custom item types in Ketryx. To enable editing of such items, make sure to configure isEditableInKetryx for the
type and corresponding fields.
For more information on custom item types, refer to the reference.
When configuring the custom item types in Jira by following , make sure to add the following fields (and any other you might require) when configuring the Screens:
The image below provides a visual representation of the relationships between key elements in the threat modeling process. It starts with vulnerabilities, which are weaknesses or flaws that can originate from components listed in the Software Bill of Materials (SBOM). These vulnerabilities are a starting point for potential security threats. For more information, please see the .
Once a vulnerability is identified in an SBOM component, it can be exploited by a threat. A threat represents a potential danger that can take advantage of a vulnerability to cause harm. This threat can then impact the software, specifically targeting the threat surface, which is the area or aspect of the system where vulnerabilities can be exploited. For more information about the SBOM module, please see .
The threat surface directly exposes assetsβresources or valuable elements within the system that could be compromised. When a threat successfully exploits a vulnerability through the threat surface, it introduces a safety or cybersecurity risk. This risk represents the potential negative impact on the asset due to the exploited vulnerability. For more information on how to perform risk assessment for both safety and cybersecurity risks, please see .
To manage and mitigate these risks, risk controls, or mitigations, are implemented. Risk controls are measures or safeguards put in place to reduce the likelihood or impact of the risk. Finally, these risk controls need to be validated to ensure their effectiveness, which is done through testing. Testing verifies that the implemented risk controls work as intended, thereby securing the assets from potential threats. For more information about test management, please see .
