### Local Development Setup for TaskFlow Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/simple-app/docs/README.md Run these commands in your terminal to install dependencies and start the development server for the TaskFlow application. ```bash npm install npm run dev ``` -------------------------------- ### Install MCP Server Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/docs/HYBRID-MCP-ARCHITECTURE.md Use this command to install the MCP server globally. Ensure Node.js and npm are installed. ```bash npm install -g @threatmodel/mcp-server ``` -------------------------------- ### Verify Threat Modeling Toolkit Installation Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Verify that the Threat Modeling Toolkit has been successfully installed by running the `tm-status` command. ```bash /tm-status ``` -------------------------------- ### Install Threat Modeling Toolkit Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/LINKEDIN-POST.md Commands to install the threat modeling toolkit from the Claude Code plugin marketplace. ```bash /plugin marketplace add josemlopez/threat-modeling-toolkit ``` ```bash /plugin install threat-modeling-toolkit@josemlopez ``` -------------------------------- ### Example: Drift Detection After Fixing BOLA Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-drift-result.md This example demonstrates the steps to fix BOLA vulnerabilities in the code and then run drift detection to observe the changes. It includes the expected output format. ```bash # Fix the code # Edit src/routes/tasks.js to add user_id checks # Run drift detection /tm-drift # Expected output: # Controls: # + control-010: missing → implemented # Gaps: # - GAP-001: closed # - GAP-002: closed # Risk Impact: REDUCED (2 critical gaps resolved) ``` -------------------------------- ### Run Full Threat Model with Compliance Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/LINKEDIN-POST.md Example of running the full threat modeling process, specifying the documentation path and desired compliance frameworks. ```bash /tm-full --docs ./docs --compliance owasp,soc2 ``` -------------------------------- ### Example assets.json Output Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Illustrates the structure of the assets.json file generated during threat model initialization, detailing discovered assets. ```json { "version": "1.0", "generated": "2025-01-20T10:00:00Z", "assets": [ { "id": "asset-001", "name": "User Database", "type": "data-store", "classification": "restricted", "description": "PostgreSQL database storing user data", "owner": "platform-team", "data_types": ["pii", "credentials"], "code_references": ["src/db/connection.ts"] }, { "id": "asset-002", "name": "Express API", "type": "service", "classification": "internal", "description": "Backend REST API service", "owner": "backend-team", "data_types": ["user_data", "tasks"], "dependencies": ["asset-001", "asset-004"] } ] } ``` -------------------------------- ### Example Test Output Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-tests-result.md This is an example of the expected output when running the security tests, indicating which tests passed and failed. ```text PASS .threatmodel/tests/auth-security.test.js PASS .threatmodel/tests/input-validation.test.js FAIL .threatmodel/tests/authz-security.test.js ● Authorization Security › Object-Level Authorization - Update › TEST-012: [EXPECTED FAIL] Should block user from updating others task Test Suites: 1 failed, 2 passed, 3 total Tests: 6 failed (expected), 23 passed, 29 total ``` -------------------------------- ### Example threats.json Output Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Shows an example of the threats.json output, detailing identified threats, their categories, risk scores, and recommended countermeasures. ```json { "version": "1.0", "framework": "STRIDE", "threats": [ { "id": "threat-001", "title": "Credential Stuffing Attack", "category": "spoofing", "description": "Attacker uses leaked credentials to gain unauthorized access", "target": { "asset_id": "asset-002", "attack_surface_id": "as-001", "entry_point": "POST /api/auth/login" }, "threat_actor": "external-attacker", "prerequisites": ["Leaked credential database", "Knowledge of login endpoint"], "impact": { "confidentiality": "high", "integrity": "medium", "availability": "low" }, "likelihood": 4, "impact_score": 4, "risk_score": 16, "risk_level": "critical", "mitre_attack": ["T1110.004"], "cwe": ["CWE-307", "CWE-521"], "countermeasures": ["Implement MFA", "Enhanced rate limiting", "Account lockout"] }, { "id": "threat-003", "title": "Broken Object-Level Authorization (BOLA)", "category": "elevation-of-privilege", "description": "Authenticated user can access or modify other users' resources", "target": { "asset_id": "asset-002", "entry_point": "PUT /api/tasks/:id" }, "risk_score": 16, "risk_level": "critical", "cwe": ["CWE-639", "CWE-284"], "countermeasures": ["Add ownership check before update", "Use UUIDs instead of sequential IDs"] } ] } ``` -------------------------------- ### Example: Password Hashing Control Evidence Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Example evidence found during control verification, showing the implementation of password hashing using bcrypt in `src/routes/auth.js`. ```text Password Hashing | ✓ | src/routes/auth.js:20 - bcrypt cost 10 ``` -------------------------------- ### Install Threat Modeling Toolkit Plugin Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Commands to add, install, and verify the Threat Modeling Toolkit plugin from the Claude Code marketplace. ```bash # Add plugin from marketplace /plugin marketplace add josemlopez/threat-modeling-toolkit # Install the plugin /plugin install threat-modeling-toolkit@josemlopez # Verify installation /tm-status ``` -------------------------------- ### Example: Rate Limiting Control Evidence Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Example evidence found during control verification, showing rate limiting for login implemented in `src/middleware/rateLimiter.js`. ```text Rate Limiting (login) | ✓ | src/middleware/rateLimiter.js:4-10 ``` -------------------------------- ### Example: MFA Control Evidence Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Example evidence found during control verification, showing that MFA is not found in the codebase. ```text MFA | ✗ | Not found ``` -------------------------------- ### Initialize Threat Model Command Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-init/SKILL.md Use this command to start a new threat model. Specify documentation paths and scope for analysis. Supports STRIDE and PASTA frameworks. ```bash /tm-init [--docs ] [--scope ] [--framework stride|pasta] ``` -------------------------------- ### Threat Model Initialization Output Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/LINKEDIN-POST.md Example output after initializing a threat model, showing discovered assets, data flows, trust boundaries, and attack surface entries. ```text Threat Model Initialized ======================== Project: TaskFlow Framework: STRIDE Discovered: - 5 assets (1 client, 1 service, 1 data-store, 1 identity, 1 integration) - 8 data flows (8 cross trust boundaries) - 4 trust boundaries - 8 attack surface entries ``` -------------------------------- ### Example: JWT Authentication Control Evidence Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Example evidence found during control verification, indicating that JWT authentication is implemented in `src/middleware/auth.js`. ```text JWT Authentication | ✓ | src/middleware/auth.js:16 ``` -------------------------------- ### Example: BOLA Protection Control Evidence Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Example evidence found during control verification, indicating that BOLA protection is missing in `src/routes/tasks.js`. ```text BOLA Protection | ✗ | Missing in src/routes/tasks.js:44 ``` -------------------------------- ### Example of User Enumeration via Registration Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This code snippet from the registration route reveals user-specific error messages, allowing for user enumeration. ```javascript 'Email already exists' ``` -------------------------------- ### Initialize Threat Model Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/LINKEDIN-POST.md Use this command to extract assets, data flows, and trust boundaries from your project's documentation. It serves as the starting point for the threat modeling process. ```bash /tm-init ``` -------------------------------- ### Compliance Mapping Output Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/LINKEDIN-POST.md Example output showing the mapping of identified gaps to the OWASP Top 10 2021 framework, including compliance status and percentage. ```text Compliance Mapping Complete =========================== OWASP Top 10 2021: A01 Broken Access Control: ██░░░░░░░░ 15% (2 gaps) NON-COMPLIANT A02 Cryptographic Failures: █████████░ 90% COMPLIANT A03 Injection: ███████░░░ 70% (1 gap) PARTIAL A07 Authentication Failures: █████░░░░░ 45% (3 gaps) PARTIAL ───────────────────────────────────────────────────── Overall: 52% ``` -------------------------------- ### Example Executive Summary Report Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt An example of an executive summary markdown report, providing a high-level overview of security risks, key findings, and compliance status. ```markdown # Security Risk Report - Executive Summary **Project**: TaskFlow **Date**: 2025-01-20 **Classification**: Confidential ## Overview This assessment identified **15** security risks across **5** system components. **4** risks are rated as **critical** and require immediate attention. ## Key Findings | Finding | Risk Level | Business Impact | |---------|------------|-----------------| | Credential Stuffing Attack | Critical | Account takeover, data breach | | BOLA - Task Update | Critical | Unauthorized data modification | | BOLA - Task Delete | Critical | Data loss, integrity compromise | | Missing MFA | Critical | Single-factor authentication bypass | ## Compliance Status - OWASP Top 10: 52% - SOC2: 48% ``` -------------------------------- ### Example Controls JSON Output Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt This JSON structure represents the output for verified controls, detailing their implementation, verification status, and effectiveness. ```json { "version": "1.0", "controls": [ { "id": "control-001", "name": "Rate Limiting on Auth Endpoints", "type": "preventive", "category": "authentication", "threats_mitigated": ["threat-001", "threat-007"], "implementation": { "status": "implemented", "method": "express-rate-limit middleware", "configuration": { "windowMs": 60000, "max": 5 } }, "verification": { "status": "verified", "evidence": [ { "type": "code", "location": "src/middleware/rateLimiter.js:4-10", "verified_at": "2025-01-20T10:00:00Z" } ] }, "effectiveness": 0.7 }, { "id": "control-002", "name": "Password Hashing with bcrypt", "type": "preventive", "category": "authentication", "implementation": { "status": "implemented" }, "verification": { "status": "verified", "evidence": [ { "type": "code", "location": "src/routes/auth.js:20", "verified_at": "2025-01-20T10:00:00Z" } ] } } ] } ``` -------------------------------- ### Markdown Security Test Case Example Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-tests/SKILL.md Example of a security test case documented in Markdown format. Includes threat, control, test scenario, steps, expected results, and pass criteria. ```markdown # Security Test Cases ## Authentication Tests ### TEST-001: Credential Stuffing Prevention **Threat**: THREAT-001 - Credential Stuffing Attack **Control**: CONTROL-001 - Rate Limiting #### Test Scenario 1. Attempt 6 failed logins from same IP within 1 minute 2. Expected: 6th request should be blocked (429 Too Many Requests) #### Steps 1. POST /api/auth/login with invalid credentials 2. Repeat 5 more times 3. Verify 6th request returns 429 #### Expected Results - First 5 requests: 401 Unauthorized - 6th request: 429 Too Many Requests - Response includes retry-after header #### Pass Criteria - Rate limit enforced at configured threshold - Appropriate error response returned - Event logged for security monitoring ``` -------------------------------- ### Kubernetes Service Deployment Example Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/complex-system/docs/infrastructure.md Defines a Kubernetes Deployment for a microservice, specifying replica count, container image, environment variables, resource limits, probes, and security contexts. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: auth-service namespace: financehub spec: replicas: 3 selector: matchLabels: app: auth-service template: spec: serviceAccountName: auth-service containers: - name: auth-service image: financehub/auth-service:v1.2.3 ports: - containerPort: 3001 env: - name: DATABASE_URL valueFrom: secretKeyRef: name: auth-service-secrets key: database-url resources: limits: memory: "512Mi" cpu: "500m" requests: memory: "256Mi" cpu: "250m" securityContext: runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false livenessProbe: httpGet: path: /health port: 3001 initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: httpGet: path: /ready port: 3001 initialDelaySeconds: 5 periodSeconds: 5 ``` -------------------------------- ### Security Gap Detail Example (Box Drawing Characters) Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-verify/SKILL.md An example of a detailed security gap report, using box-drawing characters for visual structure, outlining expected vs. actual implementation, evidence, and remediation steps. ```plaintext ┌─────────────────────────────────────────────────────────┐ │ EXPECTED: MFA required for all admin accounts │ │ ACTUAL: MFA optional, no enforcement check found │ │ │ │ EVIDENCE: │ │ Searched: mfa, totp, 2fa, two-factor │ │ Found: No matches in auth middleware │ │ │ │ REMEDIATION: │ │ Add MFA verification in admin route middleware │ │ Effort: Medium | Priority: High │ └─────────────────────────────────────────────────────────┘ ``` -------------------------------- ### Example Jest Security Test File Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt This is an example of a generated Jest test file for authentication security. It includes tests for credential stuffing prevention and authorization security, demonstrating how to simulate failed login attempts and check for rate limiting. ```javascript /** * Authentication Security Tests * Generated from threat model * * Tests for: THREAT-001, THREAT-007, THREAT-011 */ const request = require('supertest'); const app = require('../src/app'); describe('Authentication Security', () => { // THREAT-001: Credential Stuffing Attack // CONTROL-003: Rate Limiting on Login describe('Credential Stuffing Prevention', () => { it('TEST-001: Should block after 5 failed login attempts', async () => { const loginAttempt = () => request(app) .post('/api/auth/login') .send({ email: 'test@example.com', password: 'wrongpassword' }); // Make 5 failed attempts (allowed) for (let i = 0; i < 5; i++) { const response = await loginAttempt(); expect(response.status).toBe(401); } // 6th attempt should be rate limited const blocked = await loginAttempt(); expect(blocked.status).toBe(429); expect(blocked.body.error).toContain('Too many'); }); it('TEST-002: Should return consistent error for valid/invalid emails', async () => { // Prevents user enumeration via login const existingUser = await request(app) .post('/api/auth/login') .send({ email: 'existing@example.com', password: 'wrong' }); const nonExistentUser = await request(app) .post('/api/auth/login') .send({ email: 'nonexistent@example.com', password: 'wrong' }); expect(existingUser.body.error).toBe(nonExistentUser.body.error); }); }); // GAP-001: Missing BOLA Protection describe('Authorization Security', () => { it('TEST-012: [EXPECTED FAIL] Should block user from updating others task', async () => { // Documents GAP-001 - will pass after fix const response = await request(app) .put('/api/tasks/123') .set('Authorization', `Bearer ${userBToken}`) .send({ title: 'Hacked by User B' }); expect(response.status).toBe(403); // Currently fails - no ownership check }); }); }); ``` -------------------------------- ### Example Compliance JSON Output Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt This JSON output details compliance status against various frameworks, including overall compliance percentages, specific requirement mappings, and identified gaps. ```json { "version": "1.0", "frameworks": [ { "name": "OWASP Top 10 2021", "version": "2021", "overall_compliance": 52, "mappings": [ { "requirement_id": "A01:2021", "requirement_name": "Broken Access Control", "status": "non-compliant", "coverage": 15, "gaps": ["gap-001", "gap-002"], "related_threats": ["threat-003", "threat-004"], "related_controls": ["control-005"], "evidence": ["Missing object-level authorization"] }, { "requirement_id": "A02:2021", "requirement_name": "Cryptographic Failures", "status": "compliant", "coverage": 90, "evidence": ["bcrypt password hashing at src/routes/auth.js:20"] }, { "requirement_id": "A07:2021", "requirement_name": "Identification and Authentication Failures", "status": "partial", "coverage": 45, "gaps": ["gap-003", "gap-004", "gap-005"], "evidence": ["Rate limiting exists but MFA missing"] } ] }, { "name": "SOC2 Trust Services", "overall_compliance": 48, "mappings": [ { "requirement_id": "CC6.1", "requirement_name": "Logical Access Controls", "status": "partial", "coverage": 40 } ] } ] } ``` -------------------------------- ### Review Package Lock File Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-compliance-result.md Examine the package-lock.json file to understand the exact versions of all dependencies installed. This is crucial for identifying known vulnerabilities. ```bash # Review package-lock.json for known vulnerabilities ``` -------------------------------- ### Example Gaps JSON Output Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt This JSON structure outlines identified security gaps, including their description, expected vs. actual states, and remediation recommendations. ```json { "version": "1.0", "gaps": [ { "id": "gap-001", "control_id": "control-005", "title": "BOLA Protection Missing", "description": "No ownership check on task update endpoint", "expected": "Verify user owns resource before modification", "actual": "No authorization check found", "severity": "critical", "evidence": { "code_search": "No ownership check in src/routes/tasks.js:44" }, "remediation": { "recommendation": "Add ownership verification middleware", "effort": "low", "priority": "critical" }, "related_threats": ["threat-003", "threat-004"] } ] } ``` -------------------------------- ### Example of Expected Object-Level Authorization (Task Update) Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This SQL snippet shows the expected query with a user ID filter, demonstrating proper object-level authorization for task updates. ```sql WHERE id = $5 AND user_id = $6 ``` -------------------------------- ### Sample Generated Security Test (Jest) Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md An example of a security test case generated by the `/tm-tests` command, demonstrating how to test for authorization failures. ```javascript it('TEST-012: [EXPECTED FAIL] Should block user from updating others task', async () => { // Documents GAP-001 - will pass after fix const response = await request(app) .put(`/api/tasks/${userATaskId}`) .set('Authorization', `Bearer ${userBToken}`) .send({ title: 'Hacked by User B' }); expect(response.status).toBe(403); }); ``` -------------------------------- ### Example of Expected Object-Level Authorization (Task Delete) Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This SQL snippet shows the expected query with a user ID filter, demonstrating proper object-level authorization for task deletion. ```sql WHERE id = $1 AND user_id = $2 ``` -------------------------------- ### Example assets.json Structure Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-init/SKILL.md This JSON structure represents the discovered assets in the threat model. It includes details like asset ID, name, type, classification, description, owner, data types, and code references. ```json { "version": "1.0", "generated": "ISO-8601 timestamp", "assets": [ { "id": "asset-001", "name": "User Database", "type": "data-store", "classification": "restricted", "description": "PostgreSQL database storing user data", "owner": "platform-team", "data_types": ["pii", "credentials"], "code_references": ["src/db/connection.ts"] } ] } ``` -------------------------------- ### Example of Expected Rate Limiting Middleware Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This code snippet shows a route definition including the rate limiting middleware, demonstrating proper protection against brute-force attacks on password reset. ```javascript router.post('/forgot-password', loginLimiter, async...) ``` -------------------------------- ### Initialize Threat Model for Simple App Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/README.md Initialize the threat modeling process for the 'simple-app' project, generating documentation. ```bash cd simple-app && /tm-init --docs ./docs ``` -------------------------------- ### Initialize Threat Modeling with Documentation Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/complex-system/README.md Initializes the threat modeling process for a complex system, specifying the directory containing detailed documentation. ```bash /tm-init --docs ./docs ``` -------------------------------- ### Run Full Threat Model on Simple App Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/README.md Execute the full threat modeling process on the 'simple-app' project, generating documentation from its source. ```bash cd simple-app /tm-full --docs ./docs ``` -------------------------------- ### Run Full Threat Modeling Process Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/simple-app/README.md Executes all threat modeling steps, including initialization, analysis, and verification. Use the --docs flag to specify the documentation directory. ```bash /tm-full --docs ./docs ``` -------------------------------- ### Initialize Threat Model Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Initializes a threat model by analyzing architecture, discovering assets, and mapping data flows. Use --docs to specify the documentation path and --scope/--framework for customization. ```bash # Basic initialization with default docs path /tm-init --docs ./docs # With custom scope and framework /tm-init --docs ./architecture --scope "api-*" --framework stride ``` -------------------------------- ### Initialize Threat Model for Complex System Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/README.md Initialize the threat modeling process for the 'complex-system' project, generating documentation. ```bash cd complex-system && /tm-init --docs ./docs ``` -------------------------------- ### Run tm-compliance Command Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-compliance/SKILL.md Use this command to initiate the compliance mapping process. Specify frameworks and policies as needed. Use --gaps-only to focus on non-compliance. ```bash /tm-compliance [--framework ] [--policy ] [--gaps-only] ``` -------------------------------- ### Get Threat Model Status with /tm-status Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Use the /tm-status command to get a quick overview of your threat model's current status, including visual summaries of threats, controls, and compliance. Supports JSON output for automation. ```bash # Show full status /tm-status ``` ```bash # JSON output for automation /tm-status --format json ``` -------------------------------- ### Example Threat Model Drift Report Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt This is an example of a drift report generated by the /tm-drift command. It provides a summary of changes in assets, data flows, attack surfaces, and controls, highlighting degraded or improved controls and new potential threats. ```markdown # Threat Model Drift Report **Baseline**: 2025-01-15 (snapshot-20250115.json) **Current**: 2025-01-20 **Period**: 5 days ## Summary | Category | Added | Removed | Modified | |----------|-------|---------|----------| | Assets | 2 | 0 | 1 | | Data Flows | 3 | 1 | 0 | | Attack Surface | 2 | 0 | 1 | | Controls | 1 | 0 | 2 | ## Asset Changes ### Added Assets - **asset-015: Redis Cache** - Type: data-store, Risk: Cache poisoning - **asset-016: Email Service** - Type: integration, Risk: Email injection ### Modified Assets - **asset-005: User Database** - Classification upgraded to restricted (now stores payment data) ## Control Status Changes ### Degraded Controls - **control-005: Input Validation** - Previous: implemented → Current: partial - Reason: New endpoints missing validation - Files Changed: src/routes/admin.ts ### Improved Controls - **control-012: Rate Limiting** - Previous: missing → Current: implemented - Evidence: src/middleware/rateLimiter.ts ## New Potential Threats 1. **Cache Poisoning** (asset-015) - Unauthenticated cache invalidation 2. **Email Header Injection** (asset-016) - Malicious email content ``` -------------------------------- ### Verify Threats in Simple App with Evidence Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/README.md Verify threats in the 'simple-app' project, including evidence collection. ```bash cd simple-app && /tm-verify --evidence ``` -------------------------------- ### GET /payments/history Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/complex-system/docs/services/payment-service.md Retrieves the transaction history for payments. ```APIDOC ## GET /payments/history ### Description Retrieves a paginated list of payment transactions. Requires specifying a date range. ### Method GET ### Endpoint /payments/history ### Parameters #### Query Parameters - **startDate** (string) - Required - The start date for the transaction history (YYYY-MM-DD). - **endDate** (string) - Required - The end date for the transaction history (YYYY-MM-DD). - **status** (string) - Optional - Filter transactions by status (e.g., "succeeded", "failed"). - **limit** (integer) - Optional - The maximum number of transactions to return per page (pagination). - **offset** (integer) - Optional - The number of transactions to skip (pagination). ### Response #### Success Response (200) - **transactions** (array) - A list of payment transaction objects. - **id** (string) - The unique identifier for the payment. - **status** (string) - The status of the payment. - **amount** (integer) - The payment amount in cents. - **currency** (string) - The currency of the payment. - **createdAt** (string) - The timestamp when the payment was created. - **totalCount** (integer) - The total number of transactions matching the query. #### Response Example ```json { "transactions": [ { "id": "pay_abc123", "status": "succeeded", "amount": 10000, "currency": "usd", "createdAt": "2025-01-20T10:00:00Z" }, { "id": "pay_def456", "status": "failed", "amount": 5000, "currency": "usd", "createdAt": "2025-01-19T09:00:00Z" } ], "totalCount": 2 } ``` ``` -------------------------------- ### Get All Tasks Response Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/simple-app/docs/api.md A successful request to retrieve all tasks returns a 200 OK status code with a list of tasks. ```json { "tasks": [ { "id": "uuid", "title": "Complete project", "description": "Finish the API", "status": "in_progress", "dueDate": "2025-02-01", "assigneeId": "uuid" } ] } ``` -------------------------------- ### Run Security Tests with npm Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-tests-result.md These commands demonstrate how to run security tests using npm. You can run all tests, specific categories, or tests with code coverage enabled. ```bash # Run all security tests npm test -- --testPathPattern=".threatmodel/tests" ``` ```bash # Run specific category npm test -- auth-security npm test -- authz-security npm test -- input-validation ``` ```bash # Run with coverage npm test -- --coverage --testPathPattern=".threatmodel/tests" ``` -------------------------------- ### Create Baseline for Drift Detection in Complex System Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/README.md Create a baseline for drift detection in the 'complex-system' project. ```bash cd complex-system && /tm-drift --create-baseline ``` -------------------------------- ### Example of Insufficient Logging Pattern Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This pattern identifies the absence of logging libraries or audit trails, indicating a lack of security event logging. ```regex log|logger|winston|bunyan|pino|audit|console\.log.*auth|console\.log.*login ``` -------------------------------- ### Run Full Threat Modeling Workflow Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-full/SKILL.md Use this command to execute the entire threat modeling process. Customize the output directory, threat framework, compliance frameworks, and report detail level using the provided arguments. ```bash /tm-full [--docs ] [--framework stride|pasta] [--compliance ] [--output ] [--report-level executive|standard|detailed] ``` -------------------------------- ### Run tm-verify Command Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-verify/SKILL.md Use this command to initiate the control verification process. Options allow for specific control or category verification, thorough analysis, and evidence collection. ```bash /tm-verify [--control ] [--category ] [--thorough] [--evidence] ``` -------------------------------- ### Control Verification Results Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/LINKEDIN-POST.md Example output from the control verification process, detailing the number of controls analyzed and their implementation status (Implemented, Partial, Missing). ```text Control Verification Complete ============================= Controls Analyzed: 15 Verification Results: ✓ Implemented: 5 (33%) ⚠ Partial: 3 (20%) ✗ Missing: 7 (47%) Gaps Identified: Critical: 3 High: 5 Medium: 2 ``` -------------------------------- ### Clone Threat Modeling Toolkit Test Project Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/README.md Clone the included test project to quickly try out the Threat Modeling Toolkit. Navigate into the simple-app directory after cloning. ```bash git clone https://github.com/josemlopez/threat-modeling-toolkit.git cd threat-modeling-toolkit/TEST/simple-app ``` -------------------------------- ### Map Compliance to Multiple Frameworks Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/complex-system/README.md Maps the system's security posture against multiple compliance frameworks, such as OWASP, SOC2, and PCI-DSS. ```bash /tm-compliance --framework owasp,soc2,pci-dss ``` -------------------------------- ### Example of Missing Password Strength Check Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This JavaScript snippet demonstrates a basic presence check for email, password, and name, but lacks password length or strength validation. ```javascript // src/routes/auth.js:14 - Only presence check if (!email || !password || !name) // No: if (password.length < 12) or strength check ``` -------------------------------- ### Sample Generated Test for GAP-001 Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/BLOG-POST.md An example of a generated test case that is expected to fail due to a known security gap (GAP-001), documenting the lack of an ownership check. ```javascript it('TEST-012: [EXPECTED FAIL] Should block user from updating others task', async () => { // NOTE: This test documents GAP-001 // Currently NO ownership check - test should fail until fixed const response = await request(app) .put(`/api/tasks/${userATaskId}`) .set('Authorization', `Bearer ${userBToken}`) .send({ title: 'Hacked by User B' }); // Should return 403 Forbidden (FAILS until GAP-001 fixed) expect(response.status).toBe(403); }); ``` -------------------------------- ### Map to Compliance Frameworks Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Use the `tm-compliance` command to map threats and controls to specified compliance frameworks. You can map to multiple frameworks by separating them with commas. ```bash # Map to OWASP Top 10 /tm-compliance --framework owasp # Map to multiple frameworks /tm-compliance --framework owasp,soc2,pci-dss # Show only compliance gaps /tm-compliance --framework owasp --gaps-only ``` -------------------------------- ### Verify Security Controls in Codebase Source: https://context7.com/josemlopez/threat-modeling-toolkit/llms.txt Searches the codebase to verify the existence of security controls and collects file:line evidence for their implementation. Use --control to specify a control and --evidence to collect proof. ```bash # Verify all controls /tm-verify # Verify specific control with evidence collection /tm-verify --control control-001 --evidence ``` -------------------------------- ### Create Users Table Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/complex-system/docs/services/auth-service.md SQL schema for the 'users' table, storing user account information, authentication details, and MFA configurations. ```sql CREATE TABLE users ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), email VARCHAR(255) UNIQUE NOT NULL, password_hash VARCHAR(255) NOT NULL, name VARCHAR(255) NOT NULL, organization_id UUID REFERENCES organizations(id), role VARCHAR(50) NOT NULL DEFAULT 'viewer', mfa_enabled BOOLEAN DEFAULT FALSE, mfa_secret VARCHAR(255), mfa_recovery_codes TEXT[], failed_login_attempts INTEGER DEFAULT 0, locked_until TIMESTAMP, last_login TIMESTAMP, created_at TIMESTAMP DEFAULT NOW(), updated_at TIMESTAMP DEFAULT NOW() ); ``` -------------------------------- ### Example of Missing Rate Limiting Middleware Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This code snippet shows a route definition missing the rate limiting middleware, indicating a vulnerability to brute-force attacks on password reset. ```javascript router.post('/forgot-password', async...) ``` -------------------------------- ### Run Full Threat Model Analysis Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/posts/X-THREAD.md Execute a complete threat modeling workflow, including documentation analysis, threat identification, control verification, and compliance mapping. Specify documentation paths and desired compliance frameworks. ```bash /tm-full --docs ./docs ``` ```bash /tm-full --docs ./docs --compliance owasp,soc2 ``` -------------------------------- ### Example of Missing Object-Level Authorization (Task Delete) Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This SQL snippet shows a query missing a user ID filter, indicating a lack of object-level authorization for task deletion. ```sql WHERE id = $1 ``` -------------------------------- ### Create New Baseline After Fixes Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-drift-result.md Execute this command after implementing fixes to create a new baseline for future drift comparisons. ```bash /tm-drift --create-baseline ``` -------------------------------- ### Run Full Threat Model with Compliance on Complex System Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/README.md Execute the full threat modeling process on the 'complex-system' project, including compliance checks for OWASP, SOC2, and PCI-DSS. ```bash cd complex-system /tm-full --docs ./docs --compliance owasp,soc2,pci-dss ``` -------------------------------- ### Example of Missing Object-Level Authorization (Task Update) Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/TEST/results/tm-verify-result.md This SQL snippet shows a query missing a user ID filter, indicating a lack of object-level authorization for task updates. ```sql WHERE id = $5 ``` -------------------------------- ### Environment Variables for Integrations Source: https://github.com/josemlopez/threat-modeling-toolkit/blob/main/docs/HYBRID-MCP-ARCHITECTURE.md Lists essential environment variables required for various integrations, including NVD API key, Jira credentials, Slack webhook URL, and GitHub token. ```bash # Vulnerability databases export NVD_API_KEY=your-nvd-api-key # Jira integration export JIRA_API_TOKEN=your-jira-token export JIRA_BASE_URL=https://your-org.atlassian.net # Slack notifications export SLACK_WEBHOOK_URL=https://hooks.slack.com/... # GitHub integration export GITHUB_TOKEN=your-github-token ```