OWASP Threat Dragon

What is Threat Dragon?
OWASP Threat Dragon is a tool used to create threat model diagrams as part of a secure development lifecycle. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or a desktop application.
Threat Dragon supports STRIDE / LINDDUN / CIA, provides modelling diagrams and implements a rule engine to auto-generate threats and their mitigations.
Use the documentation to get started, along with the recording of Mike Goodwin giving a lightning demo during the OWASP Open Security Summit in June 2020.
Threat Dragon has a demonstration page. This is on older version which is due to be updated soon, and the notable difference is that we now have a desktop version that can be installed on linux - along with Windows and MacOS.
Related Projects
- OWASP PyTM (Pythonic Threat Modeling)
- OWASP Threat Model Cookbook
- Threat Modeling OWASP Cheat Sheet
- OWASP Threat Model Project
- OWASP Threat Model Project (old pages)
- Threagile - Agile Threat Modeling although it is not OWASP, it is open source
OWASP participation
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.
Threat modelling is widely regarded as a powerful way to build security into the design of applications early in a secure development lifecycle. At its best, it is especially good for
- Ensuring defence-in-depth
- Establishing consistent security design patterns across an application
- Flushing out security requirements and user stories
OWASP Threat Dragon provides a free, open-source, threat modelling application for teams implementing the STRIDE approach. It can also be used for categorising threats using LINDDUN and CIA. The key areas of focus for the tool is:
- Great UX - using Threat Dragon should be simple, engaging and fun
- A powerful threat/mitigation rule engine - this lowers the barrier to entry for teams and allow non-specialists to contribute
- Integration points with other development lifecycle tools - when implemented this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves
Testers
Easy user experience is one of the key goals for the project and to get that right it needs more users! If you would like to try the tool out, the released versions are on the web application github.
The desktop variant has installers for Linux, Windows and MacOS which be downloaded from the desktop project github.
To help you get started, take a look at the documentaion area.
If you are still having problems, let us know and we will be pleased to help ([email protected] and [email protected]). All feedback is very welcome, so either email us or add an issue on the GitHub repo.
Coding
Coding help of any kind is always welcome. The project builds easily (let us know if you have any problems) so getting up and running should be simple. There are some developer notes in the core threat dragon repo to help get started with this project.
Threat rule engine
If you are not into javascript, you can still help! We want to create a powerful threat generation rule engine to enhance the one that is in place for the early releases. If you can contribute in this area by defining rules, that would be great.
FAQs
Mike Goodwin’s initial vision for the project is archived here
Milestone 1: Alpha release - Basic threat modelling experience
- achieved October 2015
Milestone 2: Beta release - Threat/mitigation rule engine
- achieved May 2017 with version 0.1.26
Milestone 3: Release 1.0
- production version released February 2020
- version 1.3.1 was released October 2020
Milestone 4: - Dev lifecycle integration
- Not yet achieved
Version 2.0: planned for late 2021
create a combined application for both webapp and core
- written in javascript ES6 / ECMAScript 2015 or compatible
- run on node.js server
- use express for backend application
- use Vue for frontend application
- use mxgraph for the drawing library
create a desktop application
- use electron to wrap webapp for desktop
- incorporates webapp as a git submodule, similar to drawio as a submodule for drawio-desktop
- provide auto-update similar to drawio-desktop
desktop and webbapp should: load models from similar sources to draw.io:
- github
- gitlab
- Google Drive
- OneDrive
- Dropbox
- local filesystem device
allow design files to be backwardly compatible to Threat Dragon json:
- reads json file and converts to mxgraph native xml
- converts from mxgraph native xml and writes as json file
be strictly open source
- avoid using languages or frameworks maintained outside the open source community
Releases
| Release | Date | Location | Comments |
|---|---|---|---|
| v2.0 | Planned late 2021 | Web app Desktop |
substantial rewrite for new drawing library mxgraph |
| v1.3.1 | 26 Oct 2020 | Web app Desktop |
update documentation link to point to new docs page |
| v1.3 | 3 Sep 2020 | Web app Desktop |
support for LINDDUN and CIA as well as STRIDE and desktop command line interface |
| v1.2 | 14 April 2020 | Web app Desktop |
description for diagram elements label applied to boundaries save button always enabled zoom functionality disabled hot key copy and paste for diagram elements |
| v1.1 | 15 Mar 2020 | Web app | Duplicate element/diagram feature |
| v1.1 | 10 Mar 2020 | Desktop | Bug fix for blank screen on new model, and duplicate element/diagram feature |
| v1.0 | 22 Feb 2020 | Desktop | First full release for Windows, MacOS and Linux |
| v0.1.27-alpha | 28 Jul 2019 | Desktop | Windows only |
| v0.1.26 | 16 May 2017 | Desktop | MacOS and Windows only |
| 0.3.0 | 14 Mar 2017 | Web app | |
| v0.1.1-alpha | 14 Mar 2016 | Web app |