Amazon Q Developer is a quick and easy way to set up threat modeling from the command line. I started from scratch and in less than 10 minutes I had a fully functional Python program that scanned architectural diagrams and spit out threat modeling and risk information. My favorite part of the whole process is how quickly you can add new features and fix errors.
Install : I started out by installing Q Developer in Visual Studio Code — Using Amazon Q Developer in the IDE — Amazon Q Developer. There are also plenty of options to run it strictly as command line — see directions for Using Amazon Q Developer on the command line — Amazon Q Developer. I chose the link to install from the Visual Studio Marketplace.
Sign In : After a very quick install, you are asked to sign in with either your AWS Builder ID or your organization’s SSO. You can sign up for a Builder ID to use the free tier of Q Developer — Getting started with a personal account (Builder ID) — Amazon Q Developer.
Prompt : So far, so easy, right? Q Developer greets you and summarizes some of the things you can do. You can also select a different model to use in the dropdown at the bottom of the chat window. I used Claude Sonnet 3.7.
This was my first prompt to Q Developer:
“can you create a Python based program that can ingest architectural diagrams and produce threat modeling and risk assessment information for those diagrams. Please make sure documentation, logging, and error handling is included”
Watch and give permissions: Yeah, it’s that simple. Q Developer came up with a plan and asked me to give permissions to create a new directory.
Look at results: in less than five minutes, Q produced the code, complete with documentation, logging and error handling. You are given the implementation details, and a command to run your new threat modeling program.
Run the Program: I created a Python virtual environment and installed the requirements in my threat modeling program directory. Q Developer had already created a requirements.txt file for easy installation.
python -m venv venv
venv\Scripts\activate.ps1
pip3 install -r requirements.txt
Adjust: I did run into an error with pdf generation for the report. My next prompt to Q was “I am getting this error ERROR — Error generating PDF report: ‘latin-1’ codec can’t encode character ‘\u2022’ in position 1527: ordinal not in range(256).”
I actually was a little excited that the error handling Q Developer put in place went well here. I still received a threat modeling report, just in markdown, not pdf.
Q Developer then explained and fixed the error.
My next command line run worked flawlessly and produced a pdf report.
Ask for more: we always want more, right? I asked for more threats to be reported on:
Q Developer suggested a number of ways to build in additional threat information and explained the information that was added to my program:
Test: Now I tested more architectural diagrams and kept running them on the command line. For example:
arch_threat_modeler> python main.py ./GameProduction.png — output reportgameproduction.pdf — format pdf — threat-db custom_threats.json — verbose
The program was producing pdfs instantaneously! Oh my!
The pdfs produced are not fancy, but I’m sure we could definitely improve our workflow to make them prettier. We get an executive summary followed by identified threats, risk score, and mitigations.
So, all in all, a nice start to threat modeling, with the code written in under ten minutes. Thanks, Amazon Q Developer! Code available here mgbec/moreThreatModeling: Amazon Q developer wrote this.
If you would like to read about my experiences with Q CLI: https://dev.to/aws-builders/part-2-are-you-threatening-me-using-aws-q-cli-for-your-threat-modeling-program-42oj
Top comments (0)