Asset definitions is an XML file where assets are defined. Only assets that are defined in this file can be used in the application. The user can add new asset definitions, modify or delete existing by modifying asset definitions file. Asset definitions file has to be in accordance with its XML Schema after any modification. Otherwise, the system won't be functioning properly.

Asset from asset definitions file is mapped to diagram element using its id.

Below is an example of a single asset definition:

<assetDefinition assetId="as_adminpassword" 
    assetTitle="Administrator Password"
    protectConfidentiality="true"
    protectIntegrity="true"
    protectAvailability="false"
    impactConfidentiality="5" 
    impactIntegrity="5"  />

When the asset is defined following properties have to be specified:

1. assetId - Id of the asset. It will be used to map this asset to diagram element
2. assetTitle - Name of the asset that will be shown to user
3. protectConfidentiality - A boolean value which tells if we want to protect this assets confidentiality. If it is not specified default value is false
4. protectIntegrity - A boolean value which tells if we want to protect this assets integrity. If it is not specified default value is false
5. protectAvailability - A boolean value which tells if we want to protect this assets availability. If it is not specified default value is false
6. impactConfidentiality - An integer value which tells what is an impact of losing the confidentiality of this asset, where 1 is the lowest and 5 is the highest impact. If we are not protecting this asset's confidentiality, this attribute wouldn't be considered
7. impactIntegrity - An integer value which tells what is an impact of losing the integrity of this asset, where 1 is the lowest and 5 is the highest impact. If we are not protecting this asset's integrity, this attribute wouldn't be considered
8. impactAvailability - An integer value which tells what is an impact of losing the availability of this asset, where 1 is the lowest and 5 is the highest impact. If we are not protecting this asset's availability, this attribute wouldn't be considered

Go back to wiki home.

Exploit definitions is an XML file where exploits are defined. Only exploits that are defined in this file can be used in the application. The user can add new exploits definitions, modify or delete existing by modifying exploits definitions file. Exploit definitions file has to be in accordance with its XML Schema after any modification. Otherwise, the system won't be functioning properly.

Exploit from the exploit definitions file is mapped to the exploit occurrence in rule definitions files using its id.

Below is an example of a single exploit definition:

<exploitDefinition
    exploitId="ed_injectionsql" 
    exploitTitle="SQL Injection">
    <description>
        A SQL injection attack consists of insertion or "injection" of (...) easily prevented by simple measures.            
    </description>
    <countermeasures>            
        Parameterized statements:
        With most development platforms, parameterized statements (...) that exploit any bugs in the web application.
    </countermeasures>
</exploitDefinition>

The structure of the exploit definition is following:

1. exploitId - Id of the exploit. It will be used to map this exploit to the exploit occurrence in rule definitions files
2. exploitTitle - Name of the exploit that will be shown to user
3. description - Text with links that describes an exploit
4. countermeasures - Text with links that recommends how to fix vulnerabilities that are causing this exploit

Go back to wiki home.

This tool is implemented as a batch file that creates object model from given XML schema which is compiled and packed into java library file (.jre). Library file contains definitions of elements defined in XML schema. Library is used by the EDS application to import and decompose input diagram.

Conversion of XML schema to object model is implemented using XJC tool. Java classes are compiled using JAVAC and packed into the library using JAR tool.

Tool's batch file should be run from Windows Command Prompt, with one parameter that represents XML schema location.

Go back to wiki home.

.tm7 to Input DFD Conversion Tool is a Java application which can convert DFDs created with Microsoft Threat Modelling Tool to DFDs suitable for this system.

Conversion Tool goes through .tm7 file looking for DFD elements definition. When an element is found, the tool creates a corresponding input DFD element and rewrites its attributes into corresponding attributes of a new element. When rewriting flow elements, tool finds elements that are connected by the flow on the original diagram and sets the duplicate flow to connect their matching elements. After the process is done, tool creates XML file with new DFD.

This tool should be run from Windows Command Prompt with a .tm7 file location given as a parameter.

Go back to wiki home.