We released a new library focused on dataflow behavior. This library contains rules belonging to the Dataflow module that will perform some actions based on the current conditions available. With this dataflow library customers will be able to do (among others) the following:
-
Import new risks and countermeasures based on the protocol or file format the customer indicated in the threat model. To do so, customers must add a specific tag into the dataflow element.
-
Available tags: http, https, 2fa, mfa, json, xml, jwt, tls, ssl.
-
Example:
-
-
Import new risks and countermeasures based on sensitive data (cardholder data or personally identifiable information) indicated in the dataflow assets.
-
Available assets: assets that belongs to the Cardholder Data or Personally Identifiable Information security classifications.
- New content will be included in the component at origin.
-
Example:
-
-
Mark countermeasures automatically as implemented in the component at origin if the dataflow uses HTTPS or TLS.
-
Dataflow must include the tags https or tls.
-
-
Alert to use TLS instead of SSL if a “ssl” tag is detected in a dataflow.
-
Alert if sensitive data (Cardholder data/PII) is being moved to an Internet or Public trustzones, which could indicate some data leakage
-
Set automatically the “Sent to/Received from” asset answers in the component questionnaires.
Example of usage
We have created a simple project to show how the dataflow library works. The project has the following architecture:
This example uses HTTPS to communicate between the client (an Android app) and the server (an API), and cardholder data is being exchanged between these components.
In the Dataflow library there are rules whose actions depend on the protocol used or the type of data exchanged. Some rules use tags to perform actions such as the following one shown below which uses the tag “https” to import a new risk pattern in the component at origin:
To add tags or data types in the data flows, click on the line of the data stream and right-click and then click on “Edit data flow”:
There you will see a section to add tags (as said before, this example uses “https”, but other protocols are allowed) and another one to add assets (in the example credit card data):
Considering the project and these rules IriusRisk will perform all applicable actions. In the following image you can see the imported risk pattern and also that the countermeasure “Encrypt data between client and server” is marked as implemented, which is the action of another rule:
It is the same behavior as the rest of the libraries, but here the dataflow and the data in these flows are being considered.
Custom content
These set of rules will only work for a specific set of tags and assets defined in the dataflow library. For any other extra behavior users will have to create their own rules.
Comments
0 comments
Article is closed for comments.