-
Notifications
You must be signed in to change notification settings - Fork 0
Glossary
This page defines TMI-specific terms and concepts used throughout the application and documentation.
A comprehensive document that identifies, analyzes, and documents potential security threats to a system or application. In TMI, a threat model contains diagrams, threat assessments, and recommendations for risk mitigation.
A visual representation of how data moves through a system. DFDs show processes, data stores, actors (external entities), and the data flows between them. The foundation for threat identification.
A component within a Data Flow Diagram. Types include:
- Process - Application or service that processes data
- Data Store - Database, cache, or file system
- Actor - External entity or user
- Inter-Trust Boundary - Security boundary between elements
A connection between elements showing the movement of data. Data flows are analyzed for security threats.
A potential security risk or vulnerability identified in a threat model. Threats include attack vectors, security weaknesses, and possible exploitation paths.
A structured methodology for identifying threats. Supported frameworks:
- STRIDE - Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
- CIA - Confidentiality, Integrity, Availability
The process of determining what authenticated users are allowed to do. TMI implements role-based authorization.
A permission level assigned to users for specific objects:
- Owner - Full read/write/delete permissions; can change authorization and ownership
- Writer - Read and write permissions; cannot delete or change authorization
- Reader - Read-only access; cannot modify or delete
A specific capability granted by a role:
- Read - View object and its contents
- Write - Modify object properties and content
- Delete - Remove object permanently
- Share - Change authorization and ownership
The user designated as the object's owner. The owner field takes absolute precedence over the authorization list and automatically grants owner-level permissions regardless of other authorization entries.
A list of subjects (users or groups) and their assigned roles for an object. Different from the owner field; doesn't provide owner-level permissions.
A special group identifier with predefined behavior. The "everyone" pseudo-group grants access to all authenticated users, regardless of their identity provider.
An entity (user or group) referenced in authorization:
- user - Individual user identified by email or username
- group - Collection of users from an identity provider
An external service that authenticates users and provides identity information:
- Google - Google Workspace accounts
- GitHub - GitHub user accounts
- Microsoft - Azure AD and Microsoft 365 accounts
- SAML - Custom SAML 2.0 providers
- test - Built-in test provider for development
HTTP-based API for programmatic access to threat models, diagrams, and threats. Follows RESTful principles with JSON payloads.
Real-time bidirectional communication protocol enabling collaborative diagram editing. Used for live updates when multiple users edit simultaneously.
Industry-standard authentication protocol. TMI uses OAuth for secure authentication with external identity providers.
A cryptographically signed token representing an authenticated user. Used to authorize API requests.
Specification format for documenting REST APIs. TMI's REST API is fully documented in OpenAPI 3.0.3.
Specification format for documenting asynchronous message protocols. TMI's WebSocket protocol is documented in AsyncAPI.
A sequence of API calls representing a common integration pattern (e.g., creating a threat model, adding diagrams, identifying threats).
Relational database storing persistent threat model data including models, diagrams, threats, and user information.
In-memory cache and message broker providing:
- Real-time WebSocket connection management
- Edit lock coordination for concurrent editing
- Session cache
- Temporary data storage
The structure of database tables and their relationships. Includes tables for threat models, diagrams, threats, users, authorization, and metadata.
Settings that control TMI server behavior at runtime:
- Server settings (port, interface, timeouts)
- Database credentials
- Authentication settings
- TLS/HTTPS configuration
A deployment context:
- Development - Local development with relaxed security
- Staging - Production-like environment for testing
- Production - Live environment serving users
A lightweight, isolated execution environment for applications. TMI components (server, PostgreSQL, Redis) run in Docker containers.
Open-source container vulnerability scanner from Anchore. Scans container images for CVEs and generates reports in multiple formats (SARIF, JSON, table). Part of the Anchore toolchain alongside Syft (SBOM generation).
Encryption protocol for securing network communication. Required for production deployments.
Sensitive configuration values including passwords, API keys, and OAuth credentials. Should never be committed to version control.
Multiple users simultaneously editing a diagram with automatic synchronization via WebSocket.
Mechanism preventing conflicting edits when multiple users modify the same diagram element. Managed through Redis.
Real-time notification to all connected clients when a diagram is modified.
Custom key-value pairs attached to threat models, diagrams, threats, and elements. Enables extension without schema changes.
User-defined attributes stored as metadata, such as:
- Risk ratings
- Mitigation status
- Owner assignments
- Compliance references
A unique identifier for a publicly disclosed security vulnerability. Example: CVE-2023-12345
A numerical rating (0-10) representing vulnerability severity. Used to prioritize patching.
A security weakness that could be exploited by attackers.
A software update that fixes a vulnerability or bug.
Security model restricting system access based on user roles.
Security principle granting users only the minimum permissions needed to perform their tasks.
Record of user actions for security monitoring and compliance.
- Security-Best-Practices - Security terminology and concepts
- API-Specifications - API-related terms
- Configuration-Reference - Configuration-related terms
- Authorization Reference - Detailed authorization rules
- Using TMI for Threat Modeling
- Accessing TMI
- Creating Your First Threat Model
- Understanding the User Interface
- Working with Data Flow Diagrams
- Managing Threats
- Collaborative Threat Modeling
- Using Notes and Documentation
- Metadata and Extensions
- Planning Your Deployment
- Deploying TMI Server
- OCI Container Deployment
- Terraform Deployment
- Certificate Automation
- Deploying TMI Web Application
- Setting Up Authentication
- Database Setup
- Component Integration
- Post-Deployment
- Monitoring and Health
- Cloud Logging
- Database Operations
- Security Operations
- Performance and Scaling
- Maintenance Tasks