The Deployment tab question group was used to import risk patterns related to cloud components (AWS, Azure, GCP). The idea was to create a single component definition that could be used to import different cloud services through a questionnaire. We determined that this would be confusing in the long run and a component-oriented approach would fit better in the threat model, so we decided to remove this set of questions and add the components directly, each one with their own identity so that customers can just pick the elements for their threat models from the palette.
We have tried to keep customers who may have already used this questionnaire in mind to avoid them being affected by this change.
The update will remove the following:
- amazon-web-services-tab.drl: an internal set of rules that shows AWS specific questions
- development-tab.drl: an internal set of rules that shows the Deployment tab group based on specific conditions
- All rules in our default libraries that create questions for the Deployment tab group
How will this affect your threat models?
If your model uses a component that is showing the Deployment tab group and you have answered any of its questions you will find that:
- The Deployment tab group won't appear anymore
- This won't affect custom rules that you may have created.
- If your product has marked the option to delete non-applicable threats and countermeasures (see image) you may lose content after updating the threat model
Should you make any manual changes?
Since the Deployment tab group only appeared for a few components it's more than likely that you are not affected by this change. However, if you want to manually check your threat model and update it with the latest security content you should follow the next steps before updating to v4.0.0:
- Find and detect components:
- Components types: Internal Server, ELB - Elastic Load Balancer (AWS)
- Components that import risk patterns: GENERIC-CLIENT, DATASTORE, GENERIC-SERVICE or BROWSER
- Check if these components have the Deployment tab in the questionnaire and take note of the answers
- Replace the component with their corresponding components from each category with reference to the answers
Example: if your threat model has an Internal Server answering that it's using AWS S3 you will need to replace that component with the official "S3 - Simple Storage Service" component from the Amazon Web Services category. The below image represents the appropriate change:
In the case you do not want to modify your threat model you can use the Lock threat model feature to avoid changes, but we encourage you to replace the old components with the new ones.