The latest articles on DEV Community by Moshood Adekunle (@sirtreggy). https://dev.to/sirtreggy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F318540%2F4b91b6cb-e2e5-486a-a5a7-f4a208cf6a0d.jpg https://dev.to/sirtreggy en Moshood Adekunle Fri, 24 Jan 2025 17:59:29 +0000 https://dev.to/sirtreggy/a-developers-guide-to-pytm-2e91 https://dev.to/sirtreggy/a-developers-guide-to-pytm-2e91 <p>When I began my dissertation on securing pharmaceutical cold chain systems, I faced a common developer’s dilemma: how to approach security in a way that felt practical and aligned with my coding expertise. Traditional threat modeling tools felt cumbersome and disconnected from the iterative, hands-on process I was accustomed to. That changed when I discovered PyTM, a Python-based framework for threat modeling. </p> <p>PyTM stood out immediately; its code-like structure made it intuitive to use, even for someone new to formal threat modeling. It allowed me to systematically identify and address security risks in my cold chain research without the overhead of complex methodologies. What started as a dissertation tool quickly became a valuable resource for other projects, thanks to its flexibility and ease of use. </p> <h2> What is Threat Modeling </h2> <p>Threat modeling is the process of identifying potential security risks in your application before they become problems. It’s like a blueprint for security, helping you anticipate vulnerabilities and plan defenses early in the development process. However, many developers skip this step because traditional tools can feel cumbersome or overly complex.</p> <p>This is where PyTM stands out. Built in Python, it integrates seamlessly into your existing workflow, making threat modeling accessible without sacrificing depth. Whether you’re building a small web app or a large-scale system, PyTM provides a structured way to think about security from the ground up.</p> <h2> Threat Modeling a Blog Application </h2> <p>Let’s apply PyTM to a simple blog application. This app has a few key components:</p> <p><strong>Users</strong>: Can read posts and leave comments.</p> <p><strong>Admin</strong>: Can create, edit, and delete posts.</p> <p><strong>Database</strong>: Stores posts, comments, and user data.</p> <p><strong>Web</strong> <strong>Server</strong>: Hosts the blog and serves content.</p> <p><strong>Communication</strong>: HTTP/HTTPS requests between the browser and server.</p> <p>First, install PyTM using pip:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip install pytm sudo apt install graphviz plantuml </code></pre> </div> <h2> Key Components in PyTM </h2> <ul> <li> <strong>Threat Model (TM)</strong> The overarching container for your threat modeling exercise. It represents the entire system you’re analyzing. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">TM</span> <span class="n">tm</span> <span class="o">=</span> <span class="nc">TM</span><span class="p">(</span><span class="sh">"</span><span class="s">Blog Application Threat Model</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Boundary</strong> A boundary defines a logical or physical perimeter within which components operate. For example, the internet, an internal network, or a trusted zone. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">Boundary</span> <span class="n">internet</span> <span class="o">=</span> <span class="nc">Boundary</span><span class="p">(</span><span class="sh">"</span><span class="s">Internet</span><span class="sh">"</span><span class="p">)</span> <span class="n">internal_network</span> <span class="o">=</span> <span class="nc">Boundary</span><span class="p">(</span><span class="sh">"</span><span class="s">Internal Network</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Actor</strong> Actors represent entities that interact with your system. These can be users, administrators, or external systems. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">Actor</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">Actor</span><span class="p">(</span><span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">)</span> <span class="n">admin</span> <span class="o">=</span> <span class="nc">Actor</span><span class="p">(</span><span class="sh">"</span><span class="s">Admin</span><span class="sh">"</span><span class="p">,</span> <span class="n">is_admin</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Server</strong> A server represents a component that processes requests and serves data. In a blog application, this could be the web server hosting the blog. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">Server</span> <span class="n">web_server</span> <span class="o">=</span> <span class="nc">Server</span><span class="p">(</span><span class="sh">"</span><span class="s">Web Server</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Datastore</strong> A datastore represents a component that stores data, such as a database or file system. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">Datastore</span> <span class="n">database</span> <span class="o">=</span> <span class="nc">Datastore</span><span class="p">(</span><span class="sh">"</span><span class="s">Database</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Dataflow</strong> Dataflows represent the movement of data between components. They are critical for identifying where threats might occur. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">Dataflow</span> <span class="n">user_to_web_server</span> <span class="o">=</span> <span class="nc">Dataflow</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">web_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">View Blog Post</span><span class="sh">"</span><span class="p">)</span> <span class="n">admin_to_web_server</span> <span class="o">=</span> <span class="nc">Dataflow</span><span class="p">(</span><span class="n">admin</span><span class="p">,</span> <span class="n">web_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">Manage Blog Post</span><span class="sh">"</span><span class="p">)</span> <span class="n">web_server_to_database</span> <span class="o">=</span> <span class="nc">Dataflow</span><span class="p">(</span><span class="n">web_server</span><span class="p">,</span> <span class="n">database</span><span class="p">,</span> <span class="sh">"</span><span class="s">Save or Retrieve Data</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Server interacts with the database </span></code></pre> </div> <ul> <li> <strong>Threats</strong> Threats are potential security risks associated with a data flow. For example, a man-in-the-middle attack or SQL injection. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">user_to_web_server</span><span class="p">.</span><span class="n">threats</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Man-in-the-middle attack</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Unauthorized access</span><span class="sh">"</span><span class="p">]</span> <span class="n">admin_to_web_server</span><span class="p">.</span><span class="n">threats</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Brute force login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Privilege escalation</span><span class="sh">"</span><span class="p">]</span> <span class="n">web_server_to_database</span><span class="p">.</span><span class="n">threats</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">SQL Injection</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Data exfiltration</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <ul> <li> <strong>Controls</strong> Controls are mitigations or countermeasures to address identified threats. For example, using HTTPS to prevent man-in-the-middle attacks. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">user_to_web_server</span><span class="p">.</span><span class="n">controls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">HTTPS</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Web Application Firewall (WAF)</span><span class="sh">"</span><span class="p">]</span> <span class="n">admin_to_web_server</span><span class="p">.</span><span class="n">controls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">CAPTCHA</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Account Lockout</span><span class="sh">"</span><span class="p">]</span> <span class="n">web_server_to_database</span><span class="p">.</span><span class="n">controls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Parameterized Queries</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Input Validation</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h3> Putting It All Together </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pytm</span> <span class="kn">import</span> <span class="n">TM</span><span class="p">,</span> <span class="n">Actor</span><span class="p">,</span> <span class="n">Server</span><span class="p">,</span> <span class="n">Dataflow</span><span class="p">,</span> <span class="n">Datastore</span><span class="p">,</span> <span class="n">Boundary</span> <span class="n">tm</span> <span class="o">=</span> <span class="nc">TM</span><span class="p">(</span><span class="sh">"</span><span class="s">Blog Application Threat Model</span><span class="sh">"</span><span class="p">)</span> <span class="n">internet</span> <span class="o">=</span> <span class="nc">Boundary</span><span class="p">(</span><span class="sh">"</span><span class="s">Internet</span><span class="sh">"</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">Actor</span><span class="p">(</span><span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">)</span> <span class="n">admin</span> <span class="o">=</span> <span class="nc">Actor</span><span class="p">(</span><span class="sh">"</span><span class="s">Admin</span><span class="sh">"</span><span class="p">,</span> <span class="n">is_admin</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">web_server</span> <span class="o">=</span> <span class="nc">Server</span><span class="p">(</span><span class="sh">"</span><span class="s">Web Server</span><span class="sh">"</span><span class="p">)</span> <span class="n">database</span> <span class="o">=</span> <span class="nc">Datastore</span><span class="p">(</span><span class="sh">"</span><span class="s">Database</span><span class="sh">"</span><span class="p">)</span> <span class="n">user_to_web_server</span> <span class="o">=</span> <span class="nc">Dataflow</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">web_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">View Blog Post</span><span class="sh">"</span><span class="p">)</span> <span class="n">admin_to_web_server</span> <span class="o">=</span> <span class="nc">Dataflow</span><span class="p">(</span><span class="n">admin</span><span class="p">,</span> <span class="n">web_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">Manage Blog Post</span><span class="sh">"</span><span class="p">)</span> <span class="n">web_server_to_database</span> <span class="o">=</span> <span class="nc">Dataflow</span><span class="p">(</span><span class="n">web_server</span><span class="p">,</span> <span class="n">database</span><span class="p">,</span> <span class="sh">"</span><span class="s">Save or Retrieve Data</span><span class="sh">"</span><span class="p">)</span> <span class="n">web_server</span><span class="p">.</span><span class="n">inBoundary</span> <span class="o">=</span> <span class="n">internet</span> <span class="n">database</span><span class="p">.</span><span class="n">inBoundary</span> <span class="o">=</span> <span class="n">internet</span> <span class="n">user_to_web_server</span><span class="p">.</span><span class="n">threats</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Man-in-the-middle attack</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Unauthorized access</span><span class="sh">"</span><span class="p">]</span> <span class="n">admin_to_web_server</span><span class="p">.</span><span class="n">threats</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Brute force login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Privilege escalation</span><span class="sh">"</span><span class="p">]</span> <span class="n">web_server_to_database</span><span class="p">.</span><span class="n">threats</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">SQL Injection</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Data exfiltration</span><span class="sh">"</span><span class="p">]</span> <span class="n">user_to_web_server</span><span class="p">.</span><span class="n">controls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">HTTPS</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Web Application Firewall (WAF)</span><span class="sh">"</span><span class="p">]</span> <span class="n">admin_to_web_server</span><span class="p">.</span><span class="n">controls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">CAPTCHA</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Account Lockout</span><span class="sh">"</span><span class="p">]</span> <span class="n">web_server_to_database</span><span class="p">.</span><span class="n">controls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Parameterized Queries</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Input Validation</span><span class="sh">"</span><span class="p">]</span> <span class="n">tm</span><span class="p">.</span><span class="nf">process</span><span class="p">()</span> </code></pre> </div> <p>When you run the script, PyTM generates a summary of the identified threats and their corresponding mitigations. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> python3 model.py --dfd | dot -Tpng -o model-dfd.png </code></pre> </div> <p>returns a dataflow diagram of the threat model</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flfn5an1znc1yju4m75ko.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flfn5an1znc1yju4m75ko.png" alt="Image description" width="345" height="419"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 model.py --seq | plantuml -tpng -pipe &gt; model-seq.png </code></pre> </div> <p>returns a sequence diagram of the threat model.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqoho8cideav1vmd0dt0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqoho8cideav1vmd0dt0.png" alt="Image description" width="424" height="279"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>wget https://raw.githubusercontent.com/izar/pytm/master/docs/basic_template.md python3 model.py --report basic_template.md &gt; model-report.md </code></pre> </div> <p>returns a generated textual report of the identified threats and the security controls applied to mitigate them.</p> <h3> Conclusion </h3> <p>In my experience with PyTM, both in academic and professional settings, it has been an invaluable tool for simplifying threat modeling. I initially used it for my dissertation on a complex system and quickly saw its benefits in real-world applications, like securing a simple blog. PyTM makes it easy to define components, identify threats, and apply security controls with minimal effort, while generating detailed reports, sequence diagrams, and data flow diagrams.</p> <p>Overall, PyTM transforms threat modeling from a complex task into an accessible, efficient, and powerful practice that enhances security in any application.</p> python cybersecurity security coding