Commonly asked questions about ThreatModeler
- 13 Topics
- 3 Replies
Thanks for the great tool, and allowing a community edition for the security community.The sign up page here https://community.threatmodeler.net/auth/signup does not allow signing up with gmail or hotmail. When entered an email address with gmail.com or hotmail.com, and error “Given email domain is in the restricted list” is displayed.For some of our consultants that work with us on contract basis, they can’t sign up with their private emails.What are the allowed domains? Only privately help business domains are allowed for sign up?
ThreatModeler does not provide a specific definition for risk levels. It depends on the organization’s requirements and policies. Our in-house TRC defines the risk based on the description of the threat from CAPEC, OWASP, and WASC. If you feel a risk rating is not desired, you can change the rating for it.
What is DEPRECATE in ThreatModeler? Does it have any impact on threat models using such threat framework entities?F.A.Q.
DEPRECATE is used as a prefix for different threat framework entities, which means these entities won't support any future content updates provided by ThreatModeler. It does not have any impact on existing threat models using these threat framework entities.
Users can export a PDF, Excel in xlsx format, the PNG format image, and JSON for different threat model entities.PDF – Report of a Threat Modelxlsx – List of Threats and Security Requirement at a threat model as well as component level.JSON – Export the diagram of a threat model.PNG – Export the diagram of a threat model.
Templates are complete or partial threat models saved from the diagramming canvas into the template’s library. The saved templates can include various components, communication protocol links, component properties, and groups. Templates are not active threat models, nor do they create and store templates that consume ThreatModeler licenses. Instead, one can use the templates function as reusable building blocks from which new threat models can be made, or existing threat models can be modified quickly.Note: Template or multiple template imports in a threat model is available only for unlimited license customers.
The Security Requirement portfolio is a list of Security Requirements applicable to the selected control section of the chosen compliance when a user selects a status from the pie chart. The list of Security Requirements changes based on the selection and the number of occurrences tied to that Security Requirement.
The best practice for custom content creation occurs in your library. In ThreatModeler v5.4.1, all the out-of-the-box libraries - AWS, Azure, GCP, and ThreatModeler - are accessible to all the user authorizations except superuser, as the content updater tool from ThreatModeler will affect all the changes by the users in these four libraries.We recommend you copy the threat framework entities that require customization to your default library. You are able to add/modify the threat intelligence to any threat framework entity in your library without having an effect on future ThreatModeler content updates.
The Automated threat mitigation functionality automatically changes the Threat’s status based on the associated Security Requirements status.Let’s assume that Threat A has the following three Security Requirements: Security Requirement 1, Security Requirement 2, and Security Requirement 3. If the user has implemented all three Security Requirements, then the status of Threat A will also be automatically mitigated. Suppose the user has implemented all the security requirements; then the Threat's status will be changed to Mitigated automatically. If the user is implementing at least one of the security requirements, the associated Threats will change status to Partially Mitigated automatically.Automated Threat Mitigation functionality is applicable for the following libraries threat status:AWS Azure GCP ThreatModeler