Merak is a web-based threat analysis tool that aims to estimate a software system's asset threat landscape by leveraging external security data sources such as National Vulnerability Database, MITRE's ATT&CK, and the Canadian Centre for Cyber Security Alerts and Advisories.
Merak helps system architects, developers, evaluators, and certifiers evaluate the adequacy of security requirements and design decisions associated with each asset of their system. Merak does this by leveraging external data sources and machine learning techniques such as Natural Language Processing to analyze the provided requirements and design specifications and identify potential threats that the asset could face based on various external security data sources such as the National Vulnerability Database. Merak visualizes the findings from its analysis to help practitioners improve their security requirements and design decisions as relevant in their operational context.
For example, if the asset under consideration is a server, and external vulnerability data shows that certain server links are vulnerable to man- in-the-middle attacks, a new security requirement could be added indicating that those links need to be encrypted, if this requirement does not already exist.
The following research publication(s) relate to Merak.
The name Merak refers to the star Merak in the Ursa Major constellation. It is commonly referred to as a "pointer star" as it is helpful for finding Polaris, also known as the North Star. Compass offers a service called Polaris to evaluate a system's structural security posture guiding system architects and developers to design secure systems which is Compass's main objective (our north star).
Open-source
Apache 2.0
Javascript
Python
Joe Samuel
CyberSEA Lab (Carleton University)