Introduction

Components are helping the modeler to re-use modeling objects. So far we have only been using components briefly when setting up the initial models when learning to use securiCAD. Now we will take a closer look at them. just like any other singular or “native” object but will add several objects to the model when used.

Using Components

As previously seen, securiCAD comes with a collection of already prepared standard components. They are found below the list of singular/native objects;

securiCAD Standard Components

 

Dragging each one of the components onto the canvas will only show one object each, the component’s main object. But since these objects already have additional objects connected to them, you can right-click on the object and use “Show All Connected Objects” to see what extra objects the component brought with it.

Show All Connected Objects

 

Objects directly connected to Windows database server.

 

Repeating this with the Oracle Database service, RDP and the AccessControl objects will show all objects connected to the Windows database server component.

 

Using components instead of basic objects is often more convenient when modeling. It is even recommended to create new components while building a model of an architecture since hosts, networks, services and so on tend to be present in several parts of an architecture. Also, if you need to model an object that is similar but not exactly of the same type and set-up as you already have in the model, you can use a component for that, opening it up end make the necessary adjustments to it.

Creating Components

Components are made from native objects and can contain one or several such objects. Creating components while modeling might feel like extra work but you will soon notice that already after having used a component a few times, you’ll save modeling effort. This section describes how components are created by using a step-by-step example that creates a few specialized software product objects and eventually a web server.

Custom Components Directory

To start with, we shall configure securiCAD so that it will know where we will store the custom components we create. Go to the Configuration menu item and select Objects.

 

Configuration – Objects

Click on “Browse” to select where we store our custom components. Since we do not have such a directory yet, please create it while selecting it.

 

And make sure it is selected.

Custom Components Selected

 

Now we have a new item next to the securiCAD components. This is where we will pick and use the components we shall create.

Our Custom Components in securiCAD

 

Each time you create an object or a sub-directory of the custom components folder, please go to Configuration-Objects and Save again to refresh the Components list in securiCAD.

Now we are set to start creating custom components.

Singular Object Components

To start with, we shall create a few single-object components. The point of creating components with only one object is to set defenses of the objects and when re-using them as components, we know that the defenses are already adjusted. Such a situation is when working with SoftwareProducts. Start by dropping a SoftwareProduct object onto the canvas, rename it to RHEL 7.2 for RedHat Enterprise Linux.

We also see that the defense settings are all default, as expected for a freshly added native object.

SoftwareProduct Default Defenses

 

Now, to make this SoftwareProduct reflect the situation of RedHat Enterprise Linux, adjust the defenses accordingly;

RedHat Enterprise Linux Defenses

 

The non-default defenses here is that “SecretSource” is set to “Off” since RedHat is based on open source source code. Even if the rest of the defenses are following the current default settings, it is a good idea to set them to what we actually want in case we might later change the default settings.

Now it is time to save this SoftwareProduct as a component. While the object we want to make a component of is selected, go for File – Export – Export Component.

Export Component

 

We will be prompted for which object (in case there are several selected) to export. Actually we are choosing which object shall be used as the top-object of our component in the list of custom components in securiCAD.

Export Component Dialogue

 

Select the RHEL object and click OK to proceed.

Save Component

 

In the above example, we have first located the custom components directory we previously created and pointed out. Then we have created a sub-directory in that folder and called it “softwares” and then again created a sub-directory called “operatingSystems”. The custom components will this way be organized by category in the custom components list.

RHEL72 Component

 

Each time you create an object or a sub-directory of the custom components folder, please go to Configuration-Objects and Save again to refresh the Components list in securiCAD.

Now we can pick out our component representing the RedHat Enterprise Linux version 7.2 from the list of custom components and use it in our model.

Please note that it is not recommended to let SoftwareProduct components be part of other components since SoftwareProduct objects shall be shared between all objects based on the same type of software/software release. If SoftwareProduct components are included in other components, you will have an extra SoftwareProduct object for each one of them.

Composite Object Components

Now, we shall create a component consisting of several objects; a web server. Imagine a “web server” being a host with an operating system, an access control for administration, a data store, a service (which also is based on a particular piece of software and has an access control) running at port 80 and a service at port 22 enabling remote login. Finally, we consider this server to be put into production which means that it shall have the “Hardened” defense set to On.

Start by creating a service called OpenSSH;

  1. Pick a Service object from the list of native objects and rename it to OpenSSH.
  2. Add an AccessControl object and connect it to the OpenSSH object. Rename it to “ssh login”.
  3. Add a UserAccount object and connect it to the “ssh login” object. Doing that, you will be prompted to choose between “Non-Root Authorization” and “Root Authorization”. Please choose the non-root alternative since we imagine that root is not allowed to log in remotely, but instead requires a non privileged user to log in and then present extra login credentials to become root.
  4. Add a Datastore object and label it /home to represent the user directories made available by the ssh service.
  5. Go trough the defense settings of the objects we have added to adjust them when needed. For instance, the defense setting “NoDefaultPasswords” of the AccessControl should be set to On since you are required to set a password when creating a user login (actually an operating system user).

Now, we shall have the following objects and connections on the canvas;

 

Objects of the OpenSSH Service

 

Now, to organize it a bit, please drag the UserAccount onto the AccessControl and the AccessControl and Datastore objects onto the Service object.

Then select the Service object we have labeled OpenSSH and select File – Export – Export Component to make a re-usable component of it, since it is quite possible that several hosts will be offering a similar remote login ssh service.

customComponents/services
customComponents/services

 

Following the same procedure as above, we can create a component for a web service and then a host running both the ssh service and the http service.

To create the http service and make a component of it use the following steps;

  1. Pick a Service object from the list of native objects and rename it to Apache.
  2. Add an AccessControl object and connect it to the Apache object. Rename it to “http login”.
  3. Add a UserAccount object and connect it to the “http login” object. Doing that, you will be prompted to choose between “Non-Root Authorization” and “Root Authorization”. Please choose the non-root alternative here as well.
  4. Add a WebApplication object to the Service object. A WebApplication object is representing the applications run by the web service. For instance, the web application might be a CRM system or some other internal or external web portal while the service here is the binary actually running on port 80/443, hosting the web application.
  5. Add a Datastore object to the WebApplication object and label it /var/www to represent the user directories made available by the http service.
  6. Add a WebApplicationFirewall object to the WebApplication object, if such a functionality is present. A web application firewall is an add-on to the web application that will try to discover and block intrusion attempts like malicious requests and such. If uncertain, you can add a WebApplicationFirewall object and set the defense “Enabled” to probability 0.5.
  7. Go trough the defense settings of the objects we have added to adjust them when needed. Under the WebApplication you will find defense settings related to SQL injection, Remote File Inclusion, Developer Security Awareness and so on.

Next we shall create our “web server” with everything that comes with it;

  1. Pick a Host object from the list of native objects and rename it to Web Server.
  2. Add an AccessControl object and connect it to the Web Server object. Rename it to “OS login”.
  3. Add a UserAccount object and connect it to the “OS login” object. Doing that, you will be prompted to choose between “Non-Root Authorization” and “Root Authorization”. Please choose the root alternative here.
  4. Pick the Apache component from the components list and connect it to the host. When prompted for connection type, choose “Non-Root Application execution”.
  5. Pick the OpenSSH component from the components list and connect it to the host. When prompted for connection type, choose “Root Shell execution”.
  6. Go trough the defense settings of the objects we have added to adjust them when needed, like changing the “Hardened” defense to On if we consider this server to be properly maintained and managed by the IT department.

We shall now have the following items on the canvas;

Web Server Objects

 

Now we can put the connected objects into each other and then export the Host object as a component.

Refresh the custom components folder by going to Configuration-Objects and Save again.

The Web Server Component
The Web Server Component

 

Sharing Components

Since components actually are securiCAD model files, stored in a directory we choose when using the program, the contents of that directory can be shared between users by simply sharing the component files/directories.

When sharing components it might be helpful for other users if we take some time to add a “Note” to the object before exporting it as a component. Such information might tell what the purpose of the component is, what assumptions have been made and who created it in case there will be follow-up questions.

Component Note