Table of Contents
A person types on a laptop with a digital flowchart overlay, featuring interconnected rectangles and arrows. The scene conveys technology and data management.
Jorge Esperón
Jorge Esperón
|
Senior Security Architect
March 28, 2023

Lucidchart threat modeling workflow

Prerequisites

To achieve a Lucidchart threat modeling workflow, you're expected to have followed the previous step by step tutorial (Threat modeling workflow for AWS Cloudformation architectures using IriusRisk) to configure the IriusRisk API and the Postman API client so that they can speak to each other in a seamless way.
You should use the latest version of the IriusRisk API documentation published at SwaggerHub (1.20.0 at the current time).

Lucidchart defined architecture example

Lucidchart is a web-based diagramming and visual communication tool that allows users to create various types of diagrams, flowcharts, mind maps, wireframes, and other visual representations of ideas and concepts. With Lucidchart, you can also create diagrams and flowcharts to represent your IaC infrastructure, including its components, relationships, and dependencies. In this article we’ll explore Lucidchart’s ability as a cloud infrastructure diagramming tool.

On the 4.13.0 release, we’ve created a new endpoint for importing Lucidchart projects. This new API will let you use LucidChart diagrams exported as Visio VSDX files to quickly import and create a full IriusRisk threat model.

Follow this step by step tutorial to import a Lucidchart cloud architecture in IriusRisk as a hands-on example.

We’ll start creating a simple AWS cloud-based architecture in Lucidchart with the following elements:

  • 3 trust zones
  • Some AWS components with their data flows
  • A Custom VPC component used as a parent component.

This is how it looks in Lucidchart:

A threat model diagram in Lucidchart
Lucidchart

Lucidchart allow us to export this diagram to a Visio format (vsdx):

A threat model diagram in Visio
Diagram to visio format

You can also find this exported file in our StartLeft Github repository.

How to use Postman to automatically create a threat model in IriusRisk from a Lucidchart diagram

Now we can use Postman to upload this Lucidchart file to automatically create a new threat model in IriusRisk for this example AWS architecture. Here are the next three steps to take in order to accomplish this:

Step 1: Select the Lucidchart API endpoint

First, we need to click on the Lucidchart endpoint (POST/api/v1/products/lucid) in the Postman collection navigation tree. This API endpoint is intended to create a new IriusRisk project from a Lucidchart file (VSDX):

A list of IriusRisk APIs including Lucidchart
API

You can set the necessary parameters for this HTTP request in the Body submenu, as can be seen in the following figure:


Submenu of HTTP requests in IriusRisk
Parameters HTTP

Step 2: Set the API request parameters Now, it’s time to set the necessary HTTP body parameters:

  • source-file: (Required) File that contains the Lucidchart file.
  • product-id: (Required) Id of the new project in IriusRisk.
  • name: (Required) Name of the new project in IriusRisk.
  • mapping-file: (Optional) File that contains the mapping between generic shapes and IriusRisk components.

In previous ‘how-to’ tutorials for IaC importation processes, we didn’t provide an additional mapping file to keep the process simple. In this case, we’ll include our own YAML mapping file to extend the default relationships between Lucidchart shapes and IriusRisk components. This mapping file was adapted to fit trustzones and components that are used in the Lucidchart architecture.

This is how it looks:

lucid-aws-with-tz-and-vpc.yaml

trustzones:

- label:  Internet

   type:   internet

   id:     f0ba7722-39b6-4c81-8290-a30a248bb8d9

   

 - label:  Public Cloud

   type:   public-cloud

   id:     b61d6911-338d-46a8-9f39-8dcd24abfe91

   

 - label:  Private Secured Cloud

   type:   private-secured

   id:     2ab4effa-40b7-4cd2-ba81-8247d29a6f2d

components:

- label: Web browser

   type: generic-client

 - label: Android

   type: android-device-client

   

 - label: My DynamoDB

   type: dynamodb

   

 - label: Custom VPC

   type: empty-component


dataflows: []

Let’s go back to the HTTP body parameters. First, we’ll reference the mapping-file variable in the HTTP request with the YAML file that we’ve just shown (lucid-aws-with-tz-and-vpc.yaml). Next we select the previously exported Lucidchart file (lucid-aws-with-tz-and-vpc.vsdx) as the value of the source-file parameter in the API request. Finally, we set the product-id and name parameters that will be used to create a new project in IriusRisk. We can click on the "Save" button to persist this configuration.

This is how it looks in the HTTP POST request configuration right now:

HTTP post request in IriusRisk submenu

Step 3: Send the API request

We are almost ready to go. Just click on the "Send" button to actually shoot the HTTP request and create the new IriusRisk project from our Lucidchart template. If everything goes well, you'll receive a 201 HTTP code from the IriusRisk server and the following body response with some basic information about the newly generated project:

A block of code
HTTP

Review the generated threat model in IriusRisk

If you log in in the IriusRisk UI, you'll see that a new threat model was automatically created based on our Lucidchart template architecture:

The IriusRisk project dashboard
IriusRisk UI

This is what the IriusRisk diagram view looks like for the generated threat model:

A threat model diagram in IriusRisk
IriusRisk Diagram

To see the relevant threats and countermeasures for this simple architecture, you can go to the "Threats" section on the left pane:

A list of IriusRisk threats
Countermeasures iamge

To take a look at the recommended countermeasures, you should visit the “Countermeasures” section:

A list of IriusRisk countermeasures
Countermeasures image

How to use StartLeft in CLI mode to generate and OTM file from the Lucid file

StartLeft is an automation tool for generating threat models written in the Open Threat Model (OTM) format from a variety of different sources such as IaC files, diagrams or projects exported from Threat Modeling tools.
You can follow the quick start guide to install StartLeft in your system as a command-line interface (CLI) tool.
Once installed, you can execute the following command to convert the Lucidchart file (lucid-aws-with-tz-and-vpc.vsdx) from our previous example to an OTM format:

startleft parse --diagram-type LUCID --default-mapping-file iriusrisk-lucid-aws-mapping.yaml --custom-mapping-file lucid-aws-with-tz-and-vpc.yaml --output-file lucidchart-cli-example.otm --project-name "Lucidchart CLI Imported Example" --project-id "lucidchart-cli-imported-example" lucid-aws-with-tz-and-vpc.vsdxParsing source files into OTM
Parsing diagram source files into OTM
Validating visio file
Loading schema file '/home/nick/.local/lib/python3.10/site-packages/slp_visio/resources/schemas/diagram_mapping_schema.json'
Mapping file size is valid
Mapping files are valid
Mapping files are valid
Mapping file size is valid
Mapping files are valid
Mapping files are valid
Mapping file size is valid
Loading mapping data
Loading mapping data
Loading schema file '/home/nick/.local/lib/python3.10/site-packages/otm/resources/schemas/otm_schema.json'
OTM file schema is valid
OTM file has consistent IDs
OTM file validated successfully
Writing OTM file to 'lucidchart-cli-example.otm'

In the previous command, we have used two YAML files as input:

  • The default mapping file (iriusrisk-lucid-aws-mapping.yaml) can be found in our GitHub StartLef repository.
  • The custom mapping file that we’ve used before (lucid-aws-with-tz-and-vpc.yaml) for the previous Postman HTTP Request to the Lucidchart endpoint.

As result we get the following OTM file:

A block of code showing an OTM file
OTM File image

Now we can go back to Postman and use the OTM API endpoint to upload this OTM file file to IriusRisk:


An OTM API in Postman
OTM API image

And we’ll get the same threat model discussed in the previous section.

Conclusion

In this step-by-step tutorial we've seen how to automatically create a threat model in IriusRisk from a simple AWS architecture designed with Lucidchart. This could be used as a first step to create a CI/CD pipeline that automatically creates threat models from Lucidchart cloud architectures. We’ve followed two alternative courses of action to accomplish this task:

  • The first one involves uploading the Lucidchart diagram directly to the IriusRisk API.
  • The second one involves using the StartLeft CLI tool to convert the Lucidchart diagram to an Open Threat Model format (OTM) and then upload it to the IriusRisk API.

References

Logos of the European Union with text 'Funded by the European Union NextGenerationEU', the Spanish Government Ministry of Economic Affairs and Digital Transformation, red.es, and the Plan de Recuperación, Transformación y Resiliencia.

FAQs

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down
About the author...

Jorge Esperón

Senior Security Architect
IriusRisk
Jorge Esperón is a Senior Security Architect at IriusRisk, specializing in researching and threat modeling complex software architectures to derive essential security controls. With over 15 years of experience in application security and as a Certified Ethical Hacker (CEH), Jorge is an expert in the proactive adoption of Secure by Design practices. He focuses on scaling automated threat modeling for modern architectures, including CloudFormation and emerging AI/ML systems using frameworks like MAESTRO, to help security professionals efficiently secure applications before code is written.