Risk Patterns in the default libraries contain countermeasures that are typically in the "Recommended" state. When threat models are generated, they import the content from these risk patterns verbatim, including their state. In order to automatically generate a set of requirements, one of three techniques can be used to change these countermeasures from their default Recommended, to the Required state:
- Set the countermeasure state statically to "Required" in the libraries. During the threat model generation process, the countermeasures will be imported from the library in the Required state. This can only be done in custom libraries, not the default libraries supplied by Continuum Security (since the state will be overridden in subsequent content updates).
- Apply a security standard at runtime after a threat model has been generated. This requires that a security standard be linked to the countermeasures in the libraries.
- Create rules that set the countermeasure state to "Required" if specific conditions are met
Create rules to define requirements
This technique is the most flexible as it allows you to define any number of conditions in order to set the countermeasure state as Required. The following hypothetical example illustrates how to use this feature:
Assume that we would like to apply TLS encryption to connections on the Internet only, but that connections on other trust zones can be unencrypted. The countermeasure for applying encryption is defined in the following risk pattern in the CS-Default library:
In order to change it to the Required state if the TrustZone is the Internet we'd create the following rule in the component module:
Question is answered: "Which trust zone does the component belong to: Internet"
Apply Control: Library: CS-Default, Countermeasure: Encrypt the data transport to the service
When the user generates the threat model and chooses a trust zone that is not the Internet (e.g. private secured trust zone), then the countermeasure is created in the Recommended state:
And if the user changes the trust zone to Internet, then the countermeasure state will change to Required: