Abstract: Systems and methods of generating a threat model from a code file are defined. The system includes one or more data stores communicatively coupled with a processor, and storing information on a plurality of properties to be configured for one or more resources included in the code file and a plurality of security threats associated with one or more values of the plurality of properties. The system analyzes the code file to identify one or more properties associated with the one or more resources included in the code file. For each property, a value for the property defined in the code file is identified, one or more security threats are determined based on the identified value for the property, using the information stored in the data stores. The system generates a threat model for the one or more resources based on the determined one or more security threats.

Abstract: Systems and methods of identifying over-privileged access in a computing system are disclosed. The method includes receiving configuration information for the computing system, selecting an identity that can access the computing system and determining access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity, determining at least one role assumable by the identified one or more computing resource or service accessible to the selected identity, and determining whether the identified one or more computing resource or service accessible to the selected identity can elevate its privileges. In a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, the method provides notification that the identity has over-privileged access to the computing system.

Abstract: Systems and methods of generating a threat model from a code file are defined. The system includes one or more data stores communicatively coupled with a processor, and storing information on a plurality of properties to be configured for one or more resources included in the code file and a plurality of security threats associated with one or more values of the plurality of properties. The system analyzes the code file to identify one or more properties associated with the one or more resources included in the code file. For each property, a value for the property defined in the code file is identified, one or more security threats are determined based on the identified value for the property, using the information stored in the data stores. The system generates a threat model for the one or more resources based on the determined one or more security threats.

Abstract: Systems and methods of identifying over-privileged access in a computing system are disclosed. The method includes receiving configuration information for the computing system, selecting an identity that can access the computing system and determining access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity, determining at least one role assumable by the identified one or more computing resource or service accessible to the selected identity, and determining whether the identified one or more computing resource or service accessible to the selected identity can elevate its privileges. In a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, the method provides notification that the identity has over-privileged access to the computing system.

Abstract: Systems and methods of generating a threat model from a code file are defined. The system includes one or more data stores communicatively coupled with a processor, and storing information on a plurality of properties to be configured for one or more resources included in the code file and a plurality of security threats associated with one or more values of the plurality of properties. The system analyzes the code file to identify one or more properties associated with the one or more resources included in the code file. For each property, a value for the property defined in the code file is identified, one or more security threats are determined based on the identified value for the property, using the information stored in the data stores. The system generates a threat model for the one or more resources based on the determined one or more security threats.

Abstract: Systems and methods of generating a threat model from a code file are defined. The system includes one or more data stores communicatively coupled with a processor, and storing information on a plurality of properties to be configured for one or more resources included in the code file and a plurality of security threats associated with one or more values of the plurality of properties. The system analyzes the code file to identify one or more properties associated with the one or more resources included in the code file. For each property, a value for the property defined in the code file is identified, one or more security threats are determined based on the identified value for the property, using the information stored in the data stores. The system generates a threat model for the one or more resources based on the determined one or more security threats.

Abstract: Automated diagram import methods include providing one or more servers and one or more data stores communicatively coupled with the server(s). The data store(s) may include a plurality of computing environment assets and a plurality of connections between the assets. The method may include receiving a digital image of the hand drawn diagram and identifying a plurality of shapes and one or more links in the received digital image. The method further includes, for each component, identifying a text label for the component and classifying the component as an asset. The method further includes, for each link, determining a text label for the link and identifying two components connected by the link. The method may also include generating a diagram and displaying the diagram on a user interface. Automated hand drawn diagram import systems include systems configured to carry out automated importing of the hand drawn diagram.

Abstract: Automated diagram import methods include providing one or more servers and one or more data stores communicatively coupled with the server(s). The data store(s) may include a plurality of computing environment assets and a plurality of connections between the assets. The method may include receiving a digital image of the hand drawn diagram and identifying a plurality of shapes and one or more links in the received digital image. The method further includes, for each component, identifying a text label for the component and classifying the component as an asset. The method further includes, for each link, determining a text label for the link and identifying two components connected by the link. The method may also include generating a diagram and displaying the diagram on a user interface. Automated hand drawn diagram import systems include systems configured to carry out automated importing of the hand drawn diagram.

Abstract: Systems and methods of identifying over-privileged access in a computing system are disclosed. The method includes receiving configuration information for the computing system, selecting an identity that can access the computing system and determining access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity, determining at least one role assumable by the identified one or more computing resource or service accessible to the selected identity, and determining whether the identified one or more computing resource or service accessible to the selected identity can elevate its privileges. In a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, the method provides notification that the identity has over-privileged access to the computing system.