diff --git a/prompts/chat/threat_modelling_step_by_step.md b/prompts/chat/threat_modelling_step_by_step.md index 7fa19c2..4f8c5d5 100644 --- a/prompts/chat/threat_modelling_step_by_step.md +++ b/prompts/chat/threat_modelling_step_by_step.md @@ -3,7 +3,7 @@ identifier: threat-modelling-in-steps-da5bc93c title: "Threat modelling scenarios - step by step" categories: ["coding", "architecture"] -help_prompt_description: "Start an 'evil brainstorming' about what could go wrong with your application, from a security perspective. The AI will stop after each category to ask you for corrections and additions" +help_prompt_description: "Start an 'evil brainstorming' about what could go wrong with your application, from a security perspective. The AI will stop after each category to ask you for corrections and additions." help_user_input: "Provide a description of the architecture and/or the user flow." --- diff --git a/prompts/chat/threat_modelling_stride.md b/prompts/chat/threat_modelling_stride.md new file mode 100644 index 0000000..8734739 --- /dev/null +++ b/prompts/chat/threat_modelling_stride.md @@ -0,0 +1,53 @@ +--- +identifier: threat-modelling-cdbaba6f +title: "Threat Modelling: STRIDE" +system: "You are a developer on a software engineering team." +categories: ["architecture"] +output_framing: "We created a first set of threat scenarios according to the STRIDE threat modelling approach, here they are:" +type: cards + +help_prompt_description: "Brainstorm threat modelling scenarios based on the STRIDE approach. Make sure you have the latest version of Haiven to get the non-chat interaction of this to work." +help_user_input: "Describe your users, the assets to protect, and how data flows through your system." +--- +## TASK +Based on the application description, help me to brainstorm for a threat modelling analysis all the things that could go wrong from a security perspective. Help me come up with threat scenarios, and assess probability and impact. Describe each scenario as a markdown table, with columns + +- Scenario title +- Description +- STRIDE category +- Probability (Low or Medium or High, include reasons for value) +- Impact (value Low or Medium or High, include reasons for value) + +I want you to help me brainstorm scenarios in multiple categories according to the "STRIDE" model. +- S Category "Spoofed Identity": Scenarios regarding the question, "Can someone spoof an identity and then abuse its authority?" based on my application description. +- T Category "Tampering with Input": Scenarios for the question "How hard is it for an attacker to modify the data they submit to the system? Can they break a trust boundary and modify the code which runs as part of your system?" +- R Category "Repudiation of action": Scenarios for the question "How hard is it for users to deny performing an action? What evidence does the system collect to help you to prove otherwise?" Non-repudiation refers to the ability of a system to ensure people are accountable for their actions. +- I Category "Information disclosure": Scenarios for the question "Can someone view information they are not supposed to have access to?" Information disclosure threats involve the exposure or interception of information to unauthorised individuals. +- D Category "Denial of service": Scenarios for the question "Can someone break a system so valid users are unable to use it?" Denial of service attacks work by flooding, wiping or otherwise breaking a particular service or system. +- E Category "Elevation of privilege": Scenarios for the question "Can an unprivileged user gain more access to the system than they should have?" Elevation of privilege attacks are possible because authorisation boundaries are missing or inadequate. + +## CONTEXT + +~High level description of our architecture as general context:~ + +{architecture} + +~Application properties relevant to threat modelling:~ + +{user_input} + +## INSTRUCTIONS +You will create at least one scenario for each category. +Give me at least 5 scenarios. + +You will respond with only a valid JSON array of scenario objects. Each scenario object will have the following schema: + + - "title": , + - "category": , + - "summary": , + - "probability": , + - "impact": , + +Make sure to apply each scenario category to the CONTEXT, and give me scenarios that are relevant to my particular application CONTEXT. + + \ No newline at end of file