├── LICENSE
├── README.md
└── icons
    ├── arrow.png
    ├── cylinder-256.png
    ├── rectangle.png
    └── rounded-rectangle.png


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 2-Clause License
 2 | 
 3 | Copyright (c) 2017, Adam
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # DFD3
 2 | Data flow diagrams, also called DFDs or threat modeling diagrams.
 3 | 
 4 | ## Goal
 5 | Many people have presented various different ways to craft data flow diagrams over the years.  This page defines a "v3 DFD" precisely. It also encourages people to think about diagramming techniques themselves as something that, like code, can be specified and evolved over time, and labeled with a version.
 6 | 
 7 | ### Symbols/Elements used
 8 | 
 9 | | Element | Symbol | Discussion |
10 | |---------|--------|------------|
11 | | External entity|  <img src ="icons/rectangle.png" width=50 height=50> | A sharp-cornered rectangle. Anything outside your control.  Examples include people and systems run by other organizations or even divisions.  For example, Joe's mobile phone, the Mint data aggregators (assuming you're modeling from a bank's perspective.).  If you're modeling Mint, then the bank's systems would be external entities. 
12 | | Process| <img src ="icons/rounded-rectangle.png" width=50 height=50> | A rounded rectangle.  Any running code, including compiled, scripts, shell commands, SQL stored procedures, et cetera.
13 | | Data store|  <img src ="icons/cylinder-256.png" width=50 height=50> | A drum. Anywhere data is stored, including files, databases, shared memory, S3, cookies, et cetera.
14 | | Data flows| <img src ="icons/arrow.png" width=50 height=50> | An arrow. All the ways that processes can talk to data stores or each other.
15 | | Trust boundary | . . . | A closed shape drawn with a dashed or dotted line. Usually a box.
16 | 
17 | 
18 | 
19 | ## Definition
20 | 1. A V3 DFD uses 5 symbols.  
21 |    1. A rectangle represents an external entity, a person or code outside your control. 
22 |    2. A rounded rectangle represents a process. They're connected by arrows, which can be single or double headed.
23 |    3. Data stores are represented by drums.
24 |    4. Data flows are represented by arrows. These are usually two way (bi-directional). A dot can be used to represent the origination side.
25 |    5. A trust boundary is a closed shape, usually a box.
26 | 2. All lines are solid, except those used for trust boundaries, which are dashed or dotted.  (There is no "multi-process" symbol in DFD3.)
27 | 3. It must not* depend on the use of color, but can use color for additional information.
28 | 4. All elements should have a label.
29 | 5. You may have a context diagram if the system is complex.  One is not required.
30 | </ol>
31 | * Must, must not, should, should not are used per IETF norms.
32 | 
33 | 
34 | 
35 | # Rationales
36 | 
37 | DFD3 is what people have come to call 'opinionated.' The design is aggressively simple to prioritize easy learning and use over expressiveness. It's just enough information to enable threat modeling and put type information into the picture.
38 | 
39 | ## Rounded rectangles
40 | Are more space-efficient in a large diagram than circles.
41 | 
42 | ## Boxed boundaries
43 | Clearly show what's inside, in a way that arcs often fail to do. Dashes and dots are clearly different from other elements and reproduce clearly with black and white printers.
44 | 
45 | ## Double headed arrows
46 | Are easier to draw.  They don't show initiation of a connection, which is sad, and that can be shown with one arrowhead filled, the other open.
47 | 
48 | ## No "Complex Processes"
49 | Some approaches refer to complex processes, indicated by a doubled (concentric) circle. When to use them was never made clear, and so they're a bit of a distraction and I recommend against them.
50 | 
51 | ## Drums vs double lines
52 | The drum is easier to draw and label with software drawing tools. The parallel lines in Yourdon and other early DFDs are trivial to draw using a physical stencil: You just draw the top and bottom of a rectangle. But with software, you draw the two lines, you add text, you maybe align the text, then you group them. So with software, adding a drum to a diagram is 2 actions (draw drum, label) while the classic doubles lines is 4-5.
53 | 
54 | ## History and Relationships
55 | I'm told that Gane and Sarson also used rounded rectangles long before me.  (Gane, Chris; Sarson, Trish. *Structured Systems Analysis: Tools and Techniques*, 1979.).  According to Richard Botting's CS372 [course notes](https://web.archive.org/web/20190915023802/http://www.csci.csusb.edu/dick/cs372/a4.html) Yourdon and De Marco also used sharp rectangles for external entities.
56 | 


--------------------------------------------------------------------------------
/icons/arrow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adamshostack/DFD3/34f35bddaca4feec524fff2e2f4d8a9a33194ca2/icons/arrow.png


--------------------------------------------------------------------------------
/icons/cylinder-256.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adamshostack/DFD3/34f35bddaca4feec524fff2e2f4d8a9a33194ca2/icons/cylinder-256.png


--------------------------------------------------------------------------------
/icons/rectangle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adamshostack/DFD3/34f35bddaca4feec524fff2e2f4d8a9a33194ca2/icons/rectangle.png


--------------------------------------------------------------------------------
/icons/rounded-rectangle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adamshostack/DFD3/34f35bddaca4feec524fff2e2f4d8a9a33194ca2/icons/rounded-rectangle.png


--------------------------------------------------------------------------------