Skip to main content

Automatically mark Out Of Scope threats as Not Applicable

Walter Gildersleeve
  • Updated

In this article

  • Automatically mark counter-measures as N/A when nested under an Out Of Scope component

Permissions Required

The following permissions are required to actually create the rule. Other Project permissions are needed in order to see the rule in action.

  • DROOLS_CREATION_RULE
  • EDIT_RULES

Description

Using the Out Of Scope component is a way to nest components in your project that needn't be threat modeled. For example, you might want to show your web service being accessed by an unmanaged web browser. Including the web browser is necessary for the visual representation, although it lies outside your area of responsibility.

ezgif-3-d53c374c82.gif

Unfortunately, descendants of the OOS component still have threats associated with them by default.

Screenshot_2023-03-03_at_09.55.25.png

It is certainly possible to mark these as N/A by hand. It is also possible to use the IriusRisk Drools engine to do so automatically. The rule described below will automatically mark any threat as N/A if:

  • It is a descendant of the Out Of Scope component
  • It is the the Exposed state

Instructions

  1. Navigate to the Rules section from the IriusRisk landing page
  2. Select the Drools tab
  3. Click New Rule
  4. On the right under RULES DETAILS, choose the module threatComponent
  5. Under Resource name, enter the rule name (here, _Mark OOS Threat N/A)
  6. Under Content, enter the following code:
package com.iriusrisk.drools;

import com.iriusrisk.drools.model.*;
import com.iriusrisk.drools.model.riskpattern.*;
import com.iriusrisk.model.*;
import com.iriusrisk.drools.fact.*;
import com.iriusrisk.factories.DroolsValueConverter;
import com.iriusrisk.utils.EntityWithUDTUtil;
import com.iriusrisk.drools.fact.TagFact;

rule "_Mark OOS Threat N/A"
no-loop
when
  $project : ProjectFact()
  $component : ComponentFact()
  ComponentDefinitionFact(isAParent($component.getParentReferenceIds()) && uniqueId == "out-of-scope")
  $threat: ThreatFact(componentReferenceId==$component.componentReferenceId, state== "Expose")
then
  insert(new ChangeComponentThreatStateFact($component.getComponentReferenceId(), $threat.getUniqueId(), "Not Applicable", "Component is out-of-scope, so threats are N/A"));
end

 

oos-threats-to-na.png

 

  1. Click Save

At this point, all relevant threats will be marked N/A whenever rules run, for instance when a threat model is updated.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk