SecureFlag and OWASP partner to offer Threat Modeling Automation tool ThreatCanvas to Members


Andrew van der Stock

Thursday, May 30, 2024

SecureFlag and OWASP partner to offer Threat Modeling Automation tool ThreatCanvas to Members

OWASP members will gain extra benefits on the SecureFlag platform with access to ThreatCanvas to automate expert-level threat models.

SecureFlag recently announced an initiative that offers existing and future OWASP members access to their AI-powered threat modeling automation tool, ThreatCanvas, a modeling solution for developers and security professionals alike to generate threat models in seconds.

This new initiative builds on the successful four-year collaboration providing OWASP members access to a reserved instance of the SecureFlag Secure Coding Training platform.

ThreatCanvas can quickly generate a threat model from a textual description, an Infrastructure-as-Code template, and soon, existing diagrams. The scope is anything from an individual feature to an entire application or systems. ThreatCanvas identifies potential threats and suggests the relevant security controls to address any issues.

ThreatCanvas integrates seamlessly with SecureFlag’s training platform, providing hands-on labs tailored to identified threats and expanding upon the existing OWASP member access to the SecureFlag Platform.

“Threat modeling should be part of the Software Development Life Cycle (SDLC), but it’s hard to scale because it’s a manual process and requires specialized security knowledge.

“SecureFlag’s ThreatCanvas changes this, making threat modeling a scalable activity that developers can perform without adding overhead to their busy schedules and without relying on the security team. With ThreatCanvas, we can empower developers to create secure software from the start and reduce security rework later in the development pipeline,” said Andrea Scaduto, Co-Founder & Director at SecureFlag.

OWASP members gain access to ThreatCanvas, leveraging most of the features available in ThreatCanvas Pro. It’s possible to generate unlimited threat models, refine them, save (one model at the time) in their library, browse revisions, export any created models via JSON or generated PDF reports and much more. OWASP members will also continue to benefit from access to SecureFlag’s hands-on security training labs. These labs virtualize real developer environments, covering a wide range of technologies and scenarios.

“Threat modeling is the heart and soul of application security. SecureFlag’s new ThreatCanvas feature will be a welcome addition to the already great SecureFlag member benefit,” says Andrew van der Stock, Executive Director of the OWASP Foundation, and co-leader of the OWASP Top 10. “I look forward to seeing how our members use ThreatCanvas to model their applications.”

ThreatCanvas provides developers with access to expert-level threat modeling automation to create software that is secure from the start. To learn more about ThreatCanvas or to register on the SecureFlag Platform if you are an OWASP member, visit the SecureFlag website.

About SecureFlag

SecureFlag is a London-based company helping organizations worldwide run Secure Coding Training programs. Offering thousands of hands-on labs, SecureFlag supports Developers, DevOps, Cloud, and QA engineers in practicing secure coding techniques across 50+ technologies. With ThreatCanvas, SecureFlag also provides tools for automating the threat modeling process.


The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Our programming includes:

  • Community-led open-source projects, including code, documentation, and standards
  • Over 250+ local chapters worldwide
  • Tens of thousands of members and participants
  • Industry-leading educational and training conferences

We are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security