Jorge Esperón
|
Senior Security Architect
November 11, 2022

Microsoft Visio threat modeling workflow

Microsoft Visio threat modeling workflow

Prerequisites

You're expected to have followed the previous step by step tutorial (Threat modeling workflow for AWS Cloudformation architectures using IriusRisk) to configure the IriusRisk API and the Postman API client so that they can speak to each other in a seamless way.

You should use the latest version of the IriusRisk API documentation published at SwaggerHub (1.16.0 at the current time).

Visio defined architecture example

As we’ve talking about in past articles, architecture diagrams are very useful to show you a bird’s-eye view of how an application or system is organized for software components. Microsoft Visio is a very well known diagrammatic tool by Microsoft Windows that offers templates and symbols for different kinds of visual content like organizational charts, network diagrams, flowcharts, floor plans, etc.

Visio has many inbuilt AWS shapes and stencils that can be placed and arranged on the canvas. Follow this step by step tutorial to import a Visio AWS Visio architecture into IriusRisk as a hands-on example.

You can find the AWS Visio architecture we’ll be using along with this article in the following location:

https://github.com/iriusrisk/startleft/blob/main/examples/visio/aws-with-tz-and-vpc.vsdx

Visio Threat Modeling diagram

How to use Postman to automatically create a threat model in IriusRisk from a Visio diagram

Now we can use Postman to upload this Visio template to automatically create a new threat model in IriusRisk for this example architecture. In order to do this, you can follow the next three steps:

Step 1: Select the Visio API endpoint

First, we need to click on the Visio endpoint (POST/api/v1/products/visio) in the Postman collection navigation tree. This API endpoint is intended to create a new IriusRisk project from a Visio file (VSDX):

Iriusrisk API

A new tab opens. You can set the necessary parameters for this HTTP request in the Body submenu, as can be seen in the following figure:

Visio File

Step 2: Set the API request parameters

Now, we'll set the HTTP body parameters:

  • vsdx-file: (Required) File that contains the Visio file.
  • product-id: (Required) Id of the new project in IriusRisk.
  • name: (Required) Name of the new project in IriusRisk.
  • mapping-file: (Optional) File that contains the mapping between generic Visio shapes and IriusRisk components.

To keep this importation template simple, we'll use the default mapping between Visio and IriusRisk components. This way, we won't need to specify the mapping-file and we can deselect this parameter in the Postman checkbox. One example of this mapping file could be found in the StartLeft Github repository. Right now, this default mapping file supports some basic AWS components. However, we’ll continue expanding this default mapping file in the next IriusRisk releases, but if you need to customize this mapping to fit your specific requirements, you can provide your own YAML mapping file to the API using the mapping-file variable.

The next step, is to select our simple example for a Visio template (aws-with-tz-and-vpc.vsdx) as the value of the vsdx-file parameter. Then we set the product-id and name parameters that will be used to create a new project in IriusRisk. Finally, we click on the "Save" button to persist this configuration. This is how it looks in the HTTP POST request configuration right now:

MTMT file

Step 3: Send the API request

We are ready to click on the "Send" button to actually send the HTTP request and create the new IriusRisk project from our Visio template. If everything goes well, we'll receive a 201 HTTP code from the IriusRisk server and the following Body response with some basic information about the newly created project:

Body Copy HTTP

Review the generated threat model in IriusRisk

If we log in in the IriusRisk UI, we'll see that a new threat model was automatically created based on our Visio template architecture:

Iirusrisk UI threat model

This is how it looks in the project home page as a visual summary of some of the main security metrics involved for this threat model:

MTMT Architecture Example

To see the relevant threats and countermeasures for this simple architecture, you can go to the "Threats" section on the left pane:

MTMT Relevant threats

To take a look at the recommended countermeasures, you should visit the “Countermeasures” section:

MTMT Countermeasures

Conclusion

In this step-by-step tutorial we've seen how to automatically create a threat model in IriusRisk from a simple AWS architecture designed with Visio. This could be used as a first step to create a CI/CD pipeline that automatically creates threat models for AWS architectures in the design phase, before the stack is deployed in the production environment.

References