First post and summary

[Fraser Scott]

Hi all,

I thought I'd write a bit of a summary of what has happened with ThreatSpec since the DevSecCon talk, and some thoughts on where it could go in future.

The talk was based on a dirty ruby script that parsed the Go code for pki.io. Structurally, the project is now split into two halves. There are language parsers that write to a language agnostic json file, and reporting tools that process one or more json files and generate reports, DFDs, alerts etc.

* srenatus wrote a nice pure-Go parser which I have since adapted to write json files, and there are a couple of simple reporting tools written in Go (https://github.com/threatspec/threatspec-go)

* A specification for the json has been created using json-schema, although there isn't yet an authoritative version.

* The format for code annotations has changed to a jsdoc tag-like format.

* I've written a javascript parser that will be used in an online interactive demo on the website (http://threatspec.org/website-dev and https://github.com/threatspec/threatspec-js)

* Chris has been working on a python parser and has helped with the json structure (https://github.com/chris-wood/pythreatspec)

* I've recently been working on a @describe tag and supporting multiline (currently javascript, will port changes to Go)

Going forward, I think the following things will need to be worked on:

* Standardized and version the json and annotation specifications and give them a proper home (files in a specification repo on github?)

* Document the project and repos

* Finish the website and clean up the javascript parser

* Add parsers for more languages (Ruby, Java, C++ etc)

* Parsers should ideally use a call graph functionality to allow creation of DFDs (not so straight forward in JS it seems)

* Write some decent reporting/alerting tools (HTML, PDF, DFDs, Jenkins etc)

* And of course, actually use it in the real world. Trying to use it for real-world threat modelling will be the true test of whether the concept works.

So yeah, writing this post to hopefully get a discussion going. Feel free to reply with whatever comes to mind :)

Cheers,

Fraser