Lucidchart threat modeling workflow

Lucidchart threat modeling workflow

Prerequisites

You're expected to have followed the previous step by step tutorial (Threat modeling workflow for AWS Cloudformation architectures using IriusRisk) to configure the IriusRisk API and the Postman API client so that they can speak to each other in a seamless way.
You should use the latest version of the IriusRisk API documentation published at SwaggerHub (1.20.0 at the current time).

Lucidchart defined architecture example

Lucidchart is a web-based diagramming and visual communication tool that allows users to create various types of diagrams, flowcharts, mind maps, wireframes, and other visual representations of ideas and concepts. With Lucidchart, you can also create diagrams and flowcharts to represent your IaC infrastructure, including its components, relationships, and dependencies. In this article we’ll explore Lucidchart’s ability as a cloud infrastructure diagramming tool.

On the 4.13.0 release, we’ve created a new endpoint for importing Lucidchart projects. This new API will let you use LucidChart diagrams exported as Visio VSDX files to quickly import and create a full IriusRisk threat model.

Follow this step by step tutorial to import a Lucidchart cloud architecture in IriusRisk as a hands-on example.

We’ll start creating a simple AWS cloud-based architecture in Lucidchart with the following elements:

• 3 trust zones
• Some AWS components with their data flows
• A Custom VPC component used as a parent component.

This is how it looks in Lucidchart:

Lucidchart allow us to export this diagram to a Visio format (vsdx):

‍

You can also find this exported file in our StartLeft Github repository.

How to use Postman to automatically create a threat model in IriusRisk from a Lucidchart diagram

Now we can use Postman to upload this Lucidchart file to automatically create a new threat model in IriusRisk for this example AWS architecture. Here are the next three steps to take in order to accomplish this:

Step 1: Select the Lucidchart API endpoint

First, we need to click on the Lucidchart endpoint (POST/api/v1/products/lucid) in the Postman collection navigation tree. This API endpoint is intended to create a new IriusRisk project from a Lucidchart file (VSDX):

‍

You can set the necessary parameters for this HTTP request in the Body submenu, as can be seen in the following figure:

‍

Step 2: Set the API request parameters Now, it’s time to set the necessary HTTP body parameters:

• source-file: (Required) File that contains the Lucidchart file.
• product-id: (Required) Id of the new project in IriusRisk.
• name: (Required) Name of the new project in IriusRisk.
• mapping-file: (Optional) File that contains the mapping between generic shapes and IriusRisk components.

In previous ‘how-to’ tutorials for IaC importation processes, we didn’t provide an additional mapping file to keep the process simple. In this case, we’ll include our own YAML mapping file to extend the default relationships between Lucidchart shapes and IriusRisk components. This mapping file was adapted to fit trustzones and components that are used in the Lucidchart architecture.

This is how it looks:

lucid-aws-with-tz-and-vpc.yaml

trustzones:

- label:  Internet

   type:   internet

   id:     f0ba7722-39b6-4c81-8290-a30a248bb8d9

 - label:  Public Cloud

   type:   public-cloud

   id:     b61d6911-338d-46a8-9f39-8dcd24abfe91

 - label:  Private Secured Cloud

   type:   private-secured

   id:     2ab4effa-40b7-4cd2-ba81-8247d29a6f2d

components:

- label: Web browser

   type: generic-client

 - label: Android

   type: android-device-client

 - label: My DynamoDB

   type: dynamodb

 - label: Custom VPC

   type: empty-component

dataflows: []

Let’s go back to the HTTP body parameters. First, we’ll reference the mapping-file variable in the HTTP request with the YAML file that we’ve just shown (lucid-aws-with-tz-and-vpc.yaml). Next we select the previously exported Lucidchart file (lucid-aws-with-tz-and-vpc.vsdx) as the value of the source-file parameter in the API request. Finally, we set the product-id and name parameters that will be used to create a new project in IriusRisk. We can click on the "Save" button to persist this configuration.

This is how it looks in the HTTP POST request configuration right now:

Step 3: Send the API request

We are almost ready to go. Just click on the "Send" button to actually shoot the HTTP request and create the new IriusRisk project from our Lucidchart template. If everything goes well, you'll receive a 201 HTTP code from the IriusRisk server and the following body response with some basic information about the newly generated project:

‍

Review the generated threat model in IriusRisk

If you log in in the IriusRisk UI, you'll see that a new threat model was automatically created based on our Lucidchart template architecture:

‍

This is what the IriusRisk diagram view looks like for the generated threat model:

‍

To see the relevant threats and countermeasures for this simple architecture, you can go to the "Threats" section on the left pane:

To take a look at the recommended countermeasures, you should visit the “Countermeasures” section:

‍

How to use StartLeft in CLI mode to generate and OTM file from the Lucid file

StartLeft is an automation tool for generating threat models written in the Open Threat Model (OTM) format from a variety of different sources such as IaC files, diagrams or projects exported from Threat Modeling tools.
You can follow the quick start guide to install StartLeft in your system as a command-line interface (CLI) tool.
Once installed, you can execute the following command to convert the Lucidchart file (lucid-aws-with-tz-and-vpc.vsdx) from our previous example to an OTM format:

startleft parse --diagram-type LUCID --default-mapping-file iriusrisk-lucid-aws-mapping.yaml --custom-mapping-file lucid-aws-with-tz-and-vpc.yaml --output-file lucidchart-cli-example.otm --project-name "Lucidchart CLI Imported Example" --project-id "lucidchart-cli-imported-example" lucid-aws-with-tz-and-vpc.vsdxParsing source files into OTM
Parsing diagram source files into OTM
Validating visio file
Loading schema file '/home/nick/.local/lib/python3.10/site-packages/slp_visio/resources/schemas/diagram_mapping_schema.json'
Mapping file size is valid
Mapping files are valid
Mapping files are valid
Mapping file size is valid
Mapping files are valid
Mapping files are valid
Mapping file size is valid
Loading mapping data
Loading mapping data
Loading schema file '/home/nick/.local/lib/python3.10/site-packages/otm/resources/schemas/otm_schema.json'
OTM file schema is valid
OTM file has consistent IDs
OTM file validated successfully
Writing OTM file to 'lucidchart-cli-example.otm'

In the previous command, we have used two YAML files as input:

• The default mapping file (iriusrisk-lucid-aws-mapping.yaml) can be found in our GitHub StartLef repository.
• The custom mapping file that we’ve used before (lucid-aws-with-tz-and-vpc.yaml) for the previous Postman HTTP Request to the Lucidchart endpoint.

As result we get the following OTM file:

‍

‍

Now we can go back to Postman and use the OTM API endpoint to upload this OTM file file to IriusRisk:

‍

And we’ll get the same threat model discussed in the previous section.

Conclusion

In this step-by-step tutorial we've seen how to automatically create a threat model in IriusRisk from a simple AWS architecture designed with Lucidchart. This could be used as a first step to create a CI/CD pipeline that automatically creates threat models from Lucidchart cloud architectures. We’ve followed two alternative courses of action to accomplish this task:

• The first one involves uploading the Lucidchart diagram directly to the IriusRisk API.
• The second one involves using the StartLeft CLI tool to convert the Lucidchart diagram to an Open Threat Model format (OTM) and then upload it to the IriusRisk API.

References

• IriusRisk Release 4.13: https://www.iriusrisk.com/resources-blog/product-update-release-4-13
• IriusRisk API Swaggerhub documentation: https://app.swaggerhub.com/apis/iriusrisk/IriusRisk/
• IriusRisk StartLeft GitHub project: https://github.com/iriusrisk/startleft
• Introduction to the Open Threat Model standard: https://www.iriusrisk.com/resources-blog/introduction-to-the-open-threat-model-standard
• Lucidchart: https://www.lucidchart.com

‍