Elevation of Privilege (EoP) is the easy way to get started and learn threat modeling. It is a card game that developers, architects or security experts can play.
The deployed version can be found here: https://elevation-of-privilege.herokuapp.com/
There are two components that need to be started in order to run the game.
- Server
- UI/Client
The server can be started using:
npm run server
There are 3 koa apps that bind on the respective ports:
| Application | Description | Environment Variable | Default |
|---|---|---|---|
| Server | The game server for boardgame, exposes socket.io endpoints | SERVER_PORT |
8000 |
| Lobby API | Internal API for lobby operations, should not be exposed publicly | INTERNAL_API_PORT |
8002 |
| Public API | Public API to create games and retrieve game info | API_PORT |
8001 |
The UI can be started using:
npm run start
The UI can also be built and served statically, keep in mind that the values of the port numbers will be hard coded in the generated files.
The docker image uses supervisord to run both the UI and the server in the same container. The UI is built and served using nginx, it is also used to proxy requests from /api to the public API.
docker build . -t eop:latest
docker run --rm -it -p 8080:80 eop:latest
This would start EoP on port 8080 and would be accessible at http://localhost:8080/.
- Spectator mode
- UI fixes (optimizations, smaller screens)
- Upload an image instead of a model. Might need restructuring as we rely on diagram components + reporting would change
- Optimize the card sprite sheet (can look at SVGs)
- Improve test coverage, write tests for possible game states and moves
- Refactor and have reusable components
- Optimize component renders through
shouldComponentUpdate - Optimize docker image, currently using
ubuntu:latest - Write contributing guide
The game was originally invented by Adam Shostack at Microsoft. The EoP Whitepaper written by Adam can be downloaded which describes the motivation, experience and lessons learned in creating the game.
The motivation for creating this online version of the game at Careem was due to a large number of teams working remotely across several geographies and we wanted to scale our method of teaching threat modeling to our engineering teams.
The game is built using boardgame.io, a framework for developing turn based games. The graphics, icons and card images used in this version were extracted from the original card game built by Microsoft.
Made with 💚 at Careem