FAQs
Yes, here is a working example of Threat Models and Security Automation with ThreatPlaybook.
Absolutely!! That's what ThreatPlaybook was built for. Robot Framework lends itself perfectly with running sequential tasks/test cases which is sorta comparable to what can be achieved with CI/CD even if you don't work with Jenkins, Travis, etc. You can also plugin The Robot Script into Jenkins, Travis etc and run the entire Playbook.
In fact, we are working on a Robot Library for Git and some SAST (Bandit, Brakeman, NodeJSScan, etc) as well as SCA (OWASP Dependency check). That will really make the entire concept of a security pipeline powerful as you can add SAST, SCA and DAST to a Security Test Pipeline and run it on a periodic basis, as required
Links:
Robot Framework Jenkins Plugin => https://wiki.jenkins.io/display/JENKINS/Robot+Framework+Plugin
Minimal example running Robot Scripts in Travis CI => https://github.com/rhesusminus/robot-framework
These are some of the tools that we are looking to build Robot Framework libs for. We can use help here:
Generic Robot Framework Git Library (for atleast clones and pulls), especially for SAST
JIRA Plugin -> For posting results to JIRA
Bandit, Brakeman, NodeJSScan => SAST Tools
OWASP Dependency Check => Source Composition Analysis
Shodan => OSINT
AWS Security Assessment tools like csSuite, Zeus, S3-Inspector, etc
Natural Language Syntax FTW! => Easy to develop complex test suites and tasks with simple keywords
Single Fabric => You can use it flexibly to import any number of third party libraries. Very rarely can you achieve that with AppSec Automation
Community and Growth => Robot Framework has consistently been one of the fastest growing Test Frameworks out there. It is Python :) and has Java libs as well. It has a great roster of Third Party and Native Libs out there. Libs like SeleniumLibrary and RESTInstance are very important resources for AppSec as well
Worked well for us => Its worked really well for us in our client implementations
Sky is the limit => Writing Libs is super-easy and you can really extend it any way you want
Great for working with Devs and QA => Devs and QA dont need to learn complex security automation, etc. Natural Language syntax helps greatly.
We truly believe that this project can be a one-stop-shop for Application Security Automation.
We believe that Threat Modeling can be leveraged extensively as a "single source of truth" for your Application Security Program, which extends to continuous security testing
We believe that automation is important, but cannot replace human effort. However, automation should aid humans in being more efficient and effective. Hence, the playbook style approach for this project
If you are looking for a completely automated solution, ThreatPlaybook is not for you. We are yet to see something that is able to achieve a high quality depth and breadth of these areas with 100% automation
ThreatPlaybook can't auto-generate Threat Models. Threat Modeling is an intellectual and group activity which is ideally performed by humans. We believe that until AI is able to take over that bit, humans should still be at the forefront of threat models. ThreatPlaybook allows you to capture and codify Threat Models and integrate/link it with Security Automation
Please open up any requests for FAQs as an Issue in the Github Repo
