github.com/gemaraproj/gemara@v1.3.0

docs/tutorials/controls/threat-assessment-guide.md raw

  1---
  2layout: page
  3title: Threat Assessment Guide
  4description: Step-by-step guide to performing Gemara-compatible threat assessments
  5---
  6
  7## What This Is
  8
  9This guide walks through a threat assessment using the [Gemara](https://gemara.openssf.org/) project.
 10
 11**The basic idea:** Think of a project like a house. First, you identify what the house can do: its **[capabilities](../../model/02-definitions.html#capability)** (e.g., "allow entry/exit", "store belongings"). Then, you identify **[threats](../../model/02-definitions.html#threat)**, what could go wrong with those capabilities (e.g., "unauthorized entry through unlocked door", "theft of stored belongings").
 12
 13In technical terms:
 14 * **[Capabilities](../../model/02-definitions.html#capability)** define what the technology can do. These form a primary component of the **attack surface** because every intended function represents a potential path for unintended use.
 15 * **[Threats](../../model/02-definitions.html#threat)** define specific ways those capabilities could be misused or exploited.
 16
 17This exercise helps you systematically identify what could go wrong so you can build appropriate defenses.
 18
 19Gemara splits these into two artifact kinds: `CapabilityCatalog` for capability definitions, and `ThreatCatalog` for threats. A threat catalog references capabilities via `mapping-references` on each threat. 
 20
 21## Walkthrough
 22
 23### Step 0: Define Scope
 24
 25Select a component or technology to assess (service, API, infrastructure component, or technology stack).
 26
 27**Leverage existing resources**: Gemara supports importing entries from external catalogs so you don't have to start from scratch. The FINOS Common Cloud Controls (CCC) Core [catalog](https://github.com/finos/common-cloud-controls/releases/download/v2025.10/CCC.Core_v2025.10.yaml) defines well-vetted capabilities and threats that apply broadly across cloud services. These pre-built items can help accelerate your assessment.
 28
 29We will explore how this is leveraged below as we dive into our container management tool example (i.e., **SEC.SLAM.CM**).
 30
 31### Step 1: Setting Up Metadata (Threat catalog)
 32
 33Declare your scope and mapping references for the `ThreatCatalog`. Key fields:
 34
 35| Field | What It Is | Why |
 36|-------|------------|-----|
 37| `title` | Display name for the threat catalog (top-level field) | Human-readable label used in reports and tooling output |
 38| `metadata.type` | Must be `ThreatCatalog` | Identifies the artifact for `#ThreatCatalog` validation |
 39| `metadata.gemara-version` | String (e.g. `1.2.0`) | Declares which Gemara specification version the file conforms to (required) |
 40| `mapping-references` with `id: CCC` | Pointer to the CCC Core catalog release | Resolve imported CCC capability and threat IDs used in `imports` and in each threat's `capabilities` |
 41| `mapping-references` for scope capabilities | Pointer to your `CapabilityCatalog` (see Step 2) | Resolve IDs such as `SEC.SLAM.CM.CAP01` referenced from each threat's `capabilities` |
 42| Top-level `imports` (optional) | List of `#MultiEntryMapping` rows | Pull CCC (or other) capability/threat entries into this catalog without redefining them |
 43
 44**Example (YAML)** — threat catalog metadata only:
 45
 46```yaml
 47title: Container Management Tool Security Threat Catalog
 48metadata:
 49  id: SEC.SLAM.CM
 50  type: ThreatCatalog
 51  gemara-version: "1.2.0"
 52  description: Threat catalog for container management tool security assessment
 53  version: 1.0.0
 54  author:
 55    id: example
 56    name: Example
 57    type: Human
 58  mapping-references:
 59    - id: CCC
 60      title: Common Cloud Controls Core
 61      version: v2025.10
 62      url: https://github.com/finos/common-cloud-controls/releases
 63      description: |
 64        Foundational repository of reusable security controls, capabilities,
 65        and threat models maintained by FINOS.
 66    - id: SEC.SLAM.CM.CAP
 67      title: Container Management Tool Security Capability Catalog
 68      version: "1.0.0"
 69      url: https://example.org/catalogs/SEC.SLAM.CM-capabilities.yaml
 70      description: |
 71        Scope-specific capabilities for this assessment (see Step 2).
 72```
 73
 74### Step 2: Identify Capabilities (Capability catalog)
 75
 76Capabilities are the core functions or features within the scope. In Gemara they live in a `CapabilityCatalog`. For SEC.SLAM.CM, scope-specific capabilities are in [capabilities.yaml](capabilities.yaml) (`metadata.id` `SEC.SLAM.CM.CAP`) so threats can reference them with `reference-id: SEC.SLAM.CM.CAP` and `entries` listing IDs such as `SEC.SLAM.CM.CAP01`.
 77
 78**Start with the imported capabilities** you can leverage from FINOS CCC. Ask: "Which common cloud capabilities does this technology have?" 
 79
 80A container management tool actively reaches out to registries to pull images and configuration. Since CCC Core already defines that as **CP29** (Active Ingestion), we import it rather than redefining it. Image tags also function as version identifiers - the tool resolves a tag like `latest` or `v1.0` to a specific image. CCC Core defines that behavior as **CP18** (Resource Versioning), so we import that as well. 
 81
 82> **Note:** Those IDs are referenced from threats under each threat’s `capabilities` and may also appear under top-level `imports` in the `ThreatCatalog`.
 83
 84**Then, define specific capabilities** unique to your target. Required fields:
 85
 86| Field | Required | Description |
 87|-------|----------|-------------|
 88| `id` | Yes | Unique identifier (e.g. `ORG.PROJ.COMPONENT.CAP##`) |
 89| `title` | Yes | Clear name for the capability |
 90| `description` | Yes | What this capability does |
 91| `group` | Yes | `id` of a **group** defined in the same capability catalog |
 92
 93**Example (YAML)** — see [capabilities.yaml](capabilities.yaml):
 94
 95```yaml
 96title: Container Management Tool Security Capability Catalog
 97metadata:
 98  id: SEC.SLAM.CM.CAP
 99  type: CapabilityCatalog
100  gemara-version: "1.2.0"
101  description: |
102    Capabilities unique to the container management tool scope.
103  version: 1.0.0
104  author:
105    id: example
106    name: Example
107    type: Human
108
109groups:
110  - id: SEC.SLAM.CM.CAPGRP01
111    title: Image retrieval and resolution
112    description: |
113      How the tool retrieves images and resolves references to artifacts.
114
115capabilities:
116  - id: SEC.SLAM.CM.CAP01
117    title: Image Retrieval by Tag
118    description: |
119      Ability to retrieve container images from registries using mutable tag names
120      (e.g., 'latest', 'v1.0').
121    group: SEC.SLAM.CM.CAPGRP01
122  - id: SEC.SLAM.CM.CAP02
123    title: Image Reference Lookup
124    description: |
125      The tool resolves image references via network requests; resolution time may
126      differ from use time, and references may be mutable.
127    group: SEC.SLAM.CM.CAPGRP01
128```
129
130### Step 3: Identify Threats (Threat catalog)
131
132 **[Threats](../../model/02-definitions.html#threat)** are specific ways **[capabilities](../../model/02-definitions.html#capability)** can be misused, exploited, or cause problems. For each **capability**, identify potential **threats**.
133
134Check for imported **[threats](../../model/02-definitions.html#threat)** first. As with **[capabilities](../../model/02-definitions.html#capability)**, review the CCC Core catalog for threats linked to the capabilities you imported. If a threat fits your scope, import it. In this example, CCC Core defines **TH14** ("Older Resource Versions are Used") which is linked to **CP18**. It applies because mutable image tags let the tool resolve to a stale or compromised version.
135
136**Importing from CCC.** List CCC rows under top-level `imports` as a list of mappings. You can include both capability and threat IDs from CCC in the same `entries` list when they come from that single mapping reference.
137
138**Example (YAML)** — `imports` on the threat catalog:
139
140```yaml
141imports:
142  - reference-id: CCC
143    entries:
144      - reference-id: CCC.Core.CP29
145        remarks: Active Ingestion
146      - reference-id: CCC.Core.CP18
147        remarks: Resource Versioning
148      - reference-id: CCC.Core.TH14
149        remarks: Older Resource Versions are Used
150```
151
152**Then, define specific threats** unique to your target. Required fields:
153
154| Field | Required | Description |
155|-------|----------|-------------|
156| `id` | Yes | Unique identifier following the pattern `ORG.PROJ.COMPONENT.THR##` |
157| `title` | Yes | Short name for the threat |
158| `description` | Yes | What goes wrong and why it matters |
159| `group` | Yes | `id` of a **group** defined in this threat catalog |
160| `capabilities` | Yes | Links this threat to the capabilities it exploits |
161| `vectors` | No | Optional link to vector catalog entries |
162| `actors` | No | Optional threat actors (`#Actor`) |
163
164**Example (YAML)** — a custom threat (*Container Image Tampering or Poisoning*) linked to the capabilities it exploits: **CCC.Core.CP29** (Active Ingestion), **CCC.Core.CP18** (Resource Versioning), and **SEC.SLAM.CM.CAP01** (Image Retrieval by Tag) via your scope capability catalog reference (`SEC.SLAM.CM.CAP`).
165
166```yaml
167groups:
168  - id: SEC.SLAM.CM.FAM01
169    title: Image integrity and supply chain
170    description: |
171      Threats affecting container image retrieval, integrity, and trust.
172
173threats:
174  - id: SEC.SLAM.CM.THR01
175    title: Container Image Tampering or Poisoning
176    description: |
177      Attackers may replace a legitimately published image tag with a malicious image
178      by exploiting tag mutability in image registries, especially when the container
179      management tool retrieves images by tag name rather than digest. This enables
180      unauthorized access, data exfiltration, and system compromise.
181    group: SEC.SLAM.CM.FAM01
182    capabilities:
183      - reference-id: CCC
184        entries:
185          - reference-id: CCC.Core.CP29
186          - reference-id: CCC.Core.CP18
187      - reference-id: SEC.SLAM.CM.CAP
188        entries:
189          - reference-id: SEC.SLAM.CM.CAP01
190```
191
192### Step 4: Validate
193
194The final YAML should look something like this:
195
196```yaml
197title: Container Management Tool Security Threat Catalog
198
199metadata:
200  id: SEC.SLAM.CM
201  type: ThreatCatalog
202  gemara-version: "1.2.0"
203  description: Threat catalog for container management tool security assessment
204  version: 1.0.0
205  author:
206    id: example
207    name: Example
208    type: Human
209  mapping-references:
210    - id: CCC
211      title: Common Cloud Controls Core
212      version: v2025.10
213      url: https://github.com/finos/common-cloud-controls/releases
214      description: |
215        Foundational repository of reusable security controls, capabilities,
216        and threat models maintained by FINOS.
217    - id: SEC.SLAM.CM.CAP
218      title: Container Management Tool Security Capability Catalog
219      version: "1.0.0"
220      url: https://example.org/catalogs/SEC.SLAM.CM-capabilities.yaml
221      description: |
222        Scope-specific capabilities (CAP01, CAP02) for this threat assessment.
223
224groups:
225  - id: SEC.SLAM.CM.FAM01
226    title: Image integrity and supply chain
227    description: |
228      Threats affecting container image retrieval, integrity, and trust.
229
230imports:
231  - reference-id: CCC
232    entries:
233      - reference-id: CCC.Core.CP29
234        remarks: Active Ingestion
235      - reference-id: CCC.Core.CP18
236        remarks: Resource Versioning
237      - reference-id: CCC.Core.TH14
238        remarks: Older Resource Versions are Used
239
240threats:
241  - id: SEC.SLAM.CM.THR01
242    title: Container Image Tampering or Poisoning
243    description: |
244      Attackers may replace a legitimately published image tag with a malicious image
245      by exploiting tag mutability in image registries, especially when the container
246      management tool retrieves images by tag name rather than digest. This enables
247      unauthorized access, data exfiltration, and system compromise.
248    group: SEC.SLAM.CM.FAM01
249    capabilities:
250      - reference-id: CCC
251        entries:
252          - reference-id: CCC.Core.CP29
253          - reference-id: CCC.Core.CP18
254      - reference-id: SEC.SLAM.CM.CAP
255        entries:
256          - reference-id: SEC.SLAM.CM.CAP01
257```
258
259The complete tutorial adds more CCC imports and additional threats; see [threat-catalog.yaml](threat-catalog.yaml). 
260
261**Validation commands:**
262
263```bash
264go install cuelang.org/go/cmd/cue@latest
265cue vet -c -d '#CapabilityCatalog' github.com/gemaraproj/gemara@v1 docs/tutorials/controls/your-capabilities.yaml
266cue vet -c -d '#ThreatCatalog' github.com/gemaraproj/gemara@v1 docs/tutorials/controls/your-threat-catalog.yaml
267```
268
269## What's Next
270
271Create a Gemara control catalog that maps security controls to these threats using the [Control Catalog Guide](control-catalog-guide).
272
273**Layer 2 schema documentation:** 
274- [Capability Catalog](https://gemara.openssf.org/schema/capabilitycatalog.html)
275- [Threat Catalog](https://gemara.openssf.org/schema/threatcatalog.html)
276- [Control Catalog](https://gemara.openssf.org/schema/controlcatalog.html)