OWASP Threat Dragon
What is Threat Dragon?
OWASP Threat Dragon is a tool used to create threat model diagrams as part of a secure development lifecycle. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces.
Threat Dragon runs either as a web application or a desktop application, with both varients based on the same common core. This tool includes system diagramming as well as a rule engine to auto-generate threats and their mitigations. The focus of Threat Dragon is on great UX, a powerful rule engine and alignment with other development lifecycle tools.
Threat Dragon has a demonstration page. This is on older version which is due to be updated soon, and the notable difference is that we now have a desktop version that can be installed on linux - along with Windows and MacOS.
- OWASP PyTM (Pythonic Threat Modeling)
- OWASP Threat Model Cookbook
- Threat Modeling OWASP Cheat Sheet
- OWASP Threat Model Project
- OWASP Threat Model Project (old pages)
- Threagile - Agile Threat Modeling although it is not OWASP, it is open source
Many thanks to these companies for donating various projects to Threat Dragon:
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.
Threat modelling is widely regarded as a powerful way to build security into the design of applications early in a secure development lifecycle. At its best, it is especially good for
- Ensuring defence-in-depth
- Establishing consistent security design patterns across an application
- Flushing out security requirements and user stories
OWASP Threat Dragon provides a free, open-source, threat modelling application for teams implementing the STRIDE approach. It can also be used for categorising threats using LINDDUN and CIA. The key areas of focus for the tool is:
- Great UX - using Threat Dragon should be simple, engaging and fun
- A powerful threat/mitigation rule engine - this lowers the barrier to entry for teams and allow non-specialists to contribute
- Integration points with other development lifecycle tools - when implemented this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves
Easy user experience is one of the key goals for the project and to get that right it needs more users! If you would like to try the tool out, the released versions are on the web application github.
The desktop variant has installers for Linux, Windows and MacOS which be downloaded from the desktop project github.
To help you get started, take a look at the documentaion area.
If you are still having problems, let us know and we will be pleased to help ([email protected] and [email protected]). All feedback is very welcome, so either email us or add an issue on the GitHub repo.
Coding help of any kind is always welcome. The project builds easily (let us know if you have any problems) so getting up and running should be simple. There are some developer notes in the core threat dragon repo to help get started with this project.
Threat rule engine
Mike Goodwin’s initial Vision for the project:
The overall vision for the project is to implement a tool that removes as many barriers as possible for organisations wanting to embed threat modelling into their development lifecycle. Barriers I have seen are:
- Lack of cross platform tooling: Tool needs to be x-platform
- Poor UX in existing tools, productivity is poor: Great UX is a must
- Steep learning curve for adopting teams: Tool to build in expert knowledge to help the team get started
- Models are ignored: Integration with other lifecycle tools is key
Initial high level plan:
Milestone 1: Alpha release - Basic threat modelling experience
- Architecture review of the existing prototype with refinement/change where required - complete: Confirmed JointJs works fine, Storage model changed and addition of Electon based desktop variant. Nools rule engine (no longer supported) replaced by json-rules-engine. Shifted from Grunt/Bower to NPM/Browserify
- Secure design review and implementation of findings
- Development of tests (unit and manual) - complete: Codecov report
- Draft end user documentation - complete: GitHub pages
- “Publicity drive” to sign up alpha/beta users and generate feedback Some progress on this. The desktop app has had 13k downloads - unclear how many people are actually using it. The GH repo for the desktop version has 79 stars. The web version gets about 94 unique visitors per day on average and the GH repo has 229 stars.
Milestone 2: Beta release - Threat/mitigation rule engine
- Refinement of UX based on feedback from the alpha release
- (Some) feature enhancements based on feedback from the alpha release Implemented some feature requests (e.g. snap-to-grid) and fixed issues reports (e.g. save bugs) by users
- Implementation of a rule engine for generation of threats/mitigations
- Updated tests and end-user documentation
Milestone 3: Release 1
- Key refinements, bug fixes and new features based on feedback from the beta release
- Complete end user documentation
- Penetration test
Milestone 4 - Dev lifecycle integration
- Detailed scope to be defined, but in general the vision is to support hooks into issue tracking and requirements management tool so that threats/mitigations can be tracked through to implementation and test
This is hard to estimate as it could change a lot if there were other developers involved. Based on my current velocity with just me, I would say release 1 could be complete in 1 year (optimistically).
Following an architecture review the following key changes were made:
- A new Electron based, installable desktop variant was introduced using the local file system for model storage
- The web variant was changed to use GitHub for model storage - other source control systems will follow (e.g. BitBucket)
- Seperation of common code into a new NPM package, shared between the web and desktop variants
- The Nools rule engine will be replaced since it is no longer maintained
- Getting enough usage of the alpha and beta to get the UX and rule engine right
- Finding a sustainable way to host it, especially to support deeper GitHub/BitBucket/Etc. integration
Minimum Viable Product
- Application source code for a threat modeling tool
- End user documentation for the tool
- An online hosted version of the tool
- An installable, cross-platform desktop version of the tool
|v1.3.1||26 Oct 2020||Web app
|update documentation link to point to new docs page|
|v1.3||3 Sep 2020||Web app
|support for LINDDUN and CIA as well as STRIDE
and desktop command line interface
|v1.2||14 April 2020||Web app
|description for diagram elements
label applied to boundaries
save button always enabled
zoom functionality disabled
hot key copy and paste for diagram elements
|v1.1||15 Mar 2020||Web app||Duplicate element/diagram feature|
|v1.1||10 Mar 2020||Desktop||Bug fix for blank screen on new model,
and duplicate element/diagram feature
|v1.0||22 Feb 2020||Desktop||First full release for Windows, MacOS and Linux|
|v0.1.27-alpha||28 Jul 2019||Desktop||Windows only|
|v0.1.26||16 May 2017||Desktop||MacOS and Windows only|
|0.3.0||14 Mar 2017||Web app|
|v0.1.1-alpha||14 Mar 2016||Web app|