A way to attach risks to specific models ?
Closed this issue · 4 comments
Is there a way to add a risk and control to a specific device/vm/platform/device type and maybe even location etc?
I tried to follow the NIST process, so to tie a Risk/Control to a model, you need to:
- Create a Vulnerability,
- Assign the Vulnerability to the model,
- Create a Threat Event assigning the Vulnerability associations to it
- Create the Risk linked to that Threat Event
- Create the Control linked to that risk
Doing that the the Control View, and the Risk View brings the models.
It's possible to bring this data to the Model View too, but it requires some changes in the plugin.
Now if you want assign vulnerabilities to diffrent types of models, like the Location, just add a configuration like this, in configuration.py
PLUGINS_CONFIG = {
'nb_risk': {
'additional_assets': [
'dcim.location',
],
},
}
I tried to follow the NIST process, so to tie a Risk/Control to a model, you need to:
* Create a Vulnerability, * Assign the Vulnerability to the model, * Create a Threat Event assigning the Vulnerability associations to it * Create the Risk linked to that Threat Event * Create the Control linked to that riskDoing that the the Control View, and the Risk View brings the models. It's possible to bring this data to the Model View too, but it requires some changes in the plugin.
Sorry I was a touch premature with my issue.
I was however looking to see if we could simplify the risk/controls slightly but just attaching the risk to a device and a control to the risk as we don't strictly follow NIST. This would mean you wouldnt need a vulnerability/event populated.
This would make more generic risks easier to apply/manage opposed to something fairly specific.
I'm sorry, but I can't do that. It would require me to make changes to the risk/vulnerability models, which could have unintended consequences.