FAQs

Frequently Asked Questions

Is there an example of what I can do with ThreatPlaybook?

Yes, here is a working example of Threat Models and Security Automation with ThreatPlaybook.

GitHub - we45/ThreatPlaybook-ExampleGitHub

Can ThreatPlaybook be used in CI/CD environments?

Absolutely!! That's what ThreatPlaybook was built for. Robot Framework lends itself perfectly with running sequential tasks/test cases which is sorta comparable to what can be achieved with CI/CD even if you don't work with Jenkins, Travis, etc. You can also plugin The Robot Script into Jenkins, Travis etc and run the entire Playbook.

In fact, we are working on a Robot Library for Git and some SAST (Bandit, Brakeman, NodeJSScan, etc) as well as SCA (OWASP Dependency check). That will really make the entire concept of a security pipeline powerful as you can add SAST, SCA and DAST to a Security Test Pipeline and run it on a periodic basis, as required

Links:

• Robot Framework Jenkins Plugin => https://wiki.jenkins.io/display/JENKINS/Robot+Framework+Plugin

• Minimal example running Robot Scripts in Travis CI => https://github.com/rhesusminus/robot-framework

What are some of the tools that you are looking to integrate with, as part of ThreatPlaybook?

These are some of the tools that we are looking to build Robot Framework libs for. We can use help here:

• Generic Robot Framework Git Library (for atleast clones and pulls), especially for SAST

• JIRA Plugin -> For posting results to JIRA

• Bandit, Brakeman, NodeJSScan => SAST Tools

• OWASP Dependency Check => Source Composition Analysis

• Shodan => OSINT

• AWS Security Assessment tools like csSuite, Zeus, S3-Inspector, etc

Why Robot Framework?

• Natural Language Syntax FTW! => Easy to develop complex test suites and tasks with simple keywords

• Single Fabric => You can use it flexibly to import any number of third party libraries. Very rarely can you achieve that with AppSec Automation

• Community and Growth => Robot Framework has consistently been one of the fastest growing Test Frameworks out there. It is Python :) and has Java libs as well. It has a great roster of Third Party and Native Libs out there. Libs like SeleniumLibrary and RESTInstance are very important resources for AppSec as well

• Worked well for us => Its worked really well for us in our client implementations

• Sky is the limit => Writing Libs is super-easy and you can really extend it any way you want

• Great for working with Devs and QA => Devs and QA dont need to learn complex security automation, etc. Natural Language syntax helps greatly.

What do you see as the future of this project?

• We truly believe that this project can be a one-stop-shop for Application Security Automation.

• We believe that Threat Modeling can be leveraged extensively as a "single source of truth" for your Application Security Program, which extends to continuous security testing

• We believe that automation is important, but cannot replace human effort. However, automation should aid humans in being more efficient and effective. Hence, the playbook style approach for this project

What can't ThreatPlaybook do?

• If you are looking for a completely automated solution, ThreatPlaybook is not for you. We are yet to see something that is able to achieve a high quality depth and breadth of these areas with 100% automation

• ThreatPlaybook can't auto-generate Threat Models. Threat Modeling is an intellectual and group activity which is ideally performed by humans. We believe that until AI is able to take over that bit, humans should still be at the forefront of threat models. ThreatPlaybook allows you to capture and codify Threat Models and integrate/link it with Security Automation

Please open up any requests for FAQs as an Issue in the Github Repo