secsimon / ttm Goto Github PK

It would be great to have one or two more colors to show:

• that a requirement is not applicable (e.g. grayed out)
• that a requirement is fulfilled by the the system integration (e.g. yellow, blue)

It would be great to be able to multi-select attack scenarios and countermeasures to be able to delete them faster.

Not yet sure how this is produced, but on two different devices the application has a memory leak that can exhaust CPU and RAM of the host.

Currently, the IEC 62443-4-2 form is not exported. It would be great to have it in the report.

Currently, the discoverability of keyboard shortcuts is rather limited. It would be nice to have an overview page (maybe per view if functionalities differ) that is easily accessible and discoverable.

For making collaboration without committing to Github (which might not be possible due to legal or contracting reasons), it would be nice if the savestate was changed as following:

• Prettify JSON
  This would greatly help when merging savestates. Currently, savestates do not really use lines. This is something that can be achieved using tools such as sed, but since large states of several MB are not easy to check for errors and consistency, this is something the user really wants to avoid. If the state used multiple lines, it would be much easier to diff states

• Do not use escapes for ". Currently, the savestate uses escapes for " Because of this, tools that are able to prettify, e.g. jq cannot do their magic. Therefore, another tactic would be to remove escapes so that the JSON is prettifiable.

Sometimes when I want to add an attack scenario, the button is grayed out and I have no clue why.
It would be great to know what should be done to allow adding the countermeasure.

When the user draws a data flow, but later realizes, that the data flow is pointing in the wrong direction, it seems the only available option is to delete and redraw the data flow (apart from a cosmetic change of arrow direction).

It would be more convenient to allow swapping the direction. If the process of doing so would change or remove related data, a popup should notify the user about the changes triggered by the swap.

The Threat sources can not be added to the corresponding attack sceanarios as a drop down option which can be used for the risk assessment.

When editing attack scenarios and selecting a threat source in the modal, the threat source is not shown (but modifies the risk calculation)

It would be nice to be able create groups for apps (those directly above the DFDs). Furthermore, it would be great to have drag & drop.

Change in the risk view drop down leads to a deleted field in the attack scenario view which results in error generating report. Screenshot the severity was changed and the attack scenario was opened afterwards.

For models with high complexity, it would be helpful to have a search function for the selection of system threats within the "Edit Attack Scenario" modal.
This would save the user quite some time.

It would add to usability to be able to use arrow keys on the selected countermeasures and attack scenarios to go up and down in the list.

I suspect that the application is running single-threaded.
It would be nice if it could use multi-core.

It would be really nice to be able to pre-define system threats via the configuration and allow to import them list-wise to a project.
E.g. BSI threat catalogue as a list

list all dependencies for npm would be helpful

It would be nice if the data flow diagram would allow elements to stick to grid lines when moving them around (allow to turn behavior on/off).
This would make it easier to draw decent diagrams.

In some cases multiple connections can be susceptible to the same attack scenario a possibility to select several targets for an attack scenario would be good to have. This is already the case for several targets in the counter measures.
An alternative could be to copy the attack scenario in a bulk edit to apply it to multiple targets in the same diagram.