OWASP Threat Dragon

cupcake logo

What is Threat Dragon?

OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or a desktop application.

Threat Dragon supports STRIDE / LINDDUN / CIA, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.

Use the documentation to get started, along with the recording of Mike Goodwin giving a lightning demo during the OWASP Open Security Summit in June 2020.

An introduction to Threat Dragon is provided by the OWASP Spotlight series, and the Threat Modeling Gamification seminar by Vlad Styran shows how using Threat Dragon can make threat modeling fun.

OWASP participation

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to become a member or consider a donation to support our ongoing work.

Threat modeling is widely regarded as a powerful way to build security into the design of applications early in a secure development lifecycle. At its best, it is especially good for:

  • Ensuring defence-in-depth
  • Establishing consistent security design patterns across an application
  • Flushing out security requirements and user stories

OWASP Threat Dragon provides a free, open-source, threat modeling application for teams implementing the STRIDE approach. It can also be used for categorising threats using LINDDUN and CIA. The key areas of focus for the tool is:

  • Great UX - using Threat Dragon should be simple, engaging and fun
  • A powerful threat/mitigation rule engine - this lowers the barrier to entry for teams and allow non-specialists to contribute
  • Integration points with other development lifecycle tools - when implemented this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves

Testers

Easy user experience is one of the key goals for the project and to get that right it needs more users! If you would like to try the tool out, the released versions are on the github release area.

The desktop variant has installers for Linux, Windows and MacOS which be downloaded from the github release area.

To help you get started, take a look at the documentation area.

If you are still having problems, let us know and we will be pleased to help ([email protected] and [email protected]). All feedback is very welcome, so either email us or add an issue on the GitHub repo.

Coding

Coding help of any kind is always welcome. The project builds easily (let us know if you have any problems) so getting up and running should be simple. There are some developer notes in the threat dragon repo to help get started with this project.

Threat rule engine

If you are not into javascript, you can still help! We want to create a powerful threat generation rule engine to enhance the one that is in place for the early releases. If you can contribute in this area by defining rules, that would be great.

FAQs

Version 2.0: planned for early 2022

migrate to a combined application for both webapp and core

  • use Vue for frontend application
  • use @antv/g6 for the drawing library
  • in progress provide multiple methods of authentication similar to draw.io login page
  • in progress provide an API for CI/CD pipelines, see here for an example
  • frontend logging using bunyan and optional logging to the console during development
  • use electron to wrap webapp for desktop
  • provide auto-update using electron
  • provide a CLI for scripting based on TD’s existing use of yargs
  • expand electron unit tests using spectron
  • electron log logging level controlled by command line
  • webapp unit test framework Jest
  • component test Vue testing library
  • end-to-end test cypress
  • set up ZAP to provide security testing on commit, similar to existing TD
  • be strictly open source

file access for both desktop and web apps:

  • load models from various sources similar to drawio:
    • github
    • gitlab
    • Google Drive
    • OneDrive
    • Dropbox
    • in progress local filesystem device
  • design files are to be backwardly compatible to Threat Dragon json

demonstration pages:

  • an online demonstration to be provided on threat dragon’s site
  • demo should either be a snapshot or a release version

Version 1.4: released May 2021

  • written in javascript ES6 / ECMAScript 2015 or compatible
  • run on node.js server
  • use express for backend application
  • provide a dockerfile for running in docker, similar to existing TD
  • static code analysis using ESLint
  • webapp test runner Karma with Jasmine for Vue Test Utils
  • backend unit test framework MochaJS and assertions from chai
  • bundle the application and api for production using webpack
  • be strictly open source, avoiding using languages or frameworks maintained outside the open source community

documentation:

Previous versions

Mike Goodwin’s initial roadmap for the project is archived here. The original roadmap had various milestones, most of which were achieved by late 2020.

Milestone 1: Alpha release - Basic threat modelling experience

  • achieved October 2015

Milestone 2: Beta release - Threat/mitigation rule engine

  • achieved May 2017 with version 0.1.26

Milestone 3: Release 1.0

  • production version released February 2020
  • version 1.3.1 released October 2020

Milestone 4: - Dev lifecycle integration

  • Still to be completed, some CLI interface available mid 2020

Releases

Release Date Location Comments
v2.0(draft) Late 2021/2022 Web app
Desktop		 in progress:
substantial rewrite for new drawing library @antv/g6
v1.6.0 Dec 2021 github Automated threat and context threat generation
Last release of 1.x before version 2.0
v1.5.8 Sep 2021 github Shows ‘NA’ threats as completed/ mitigated
Fixes bug in threat engine (web app only)
Signed binaries for Windows
v1.5.5 Sep 2021 github MacOS images are signed and notarized
Linux Snap image available as snapcraft distribution
v1.4.0 5 May 2021 Web app
Desktop		 Provides dotenv for environment variables
updates to docker image
substantial code reorganisation
v1.3.1 26 Oct 2020 Web app
Desktop		 update documentation link to point to new docs page
v1.3 3 Sep 2020 Web app
Desktop		 support for LINDDUN and CIA as well as STRIDE
and desktop command line interface
v1.2 14 April 2020 Web app
Desktop		 description for diagram elements
label applied to boundaries
save button always enabled
zoom functionality disabled
hot key copy and paste for diagram elements
v1.1 15 Mar 2020 Web app Duplicate element/diagram feature
v1.1 10 Mar 2020 Desktop Bug fix for blank screen on new model,
and duplicate element/diagram feature
v1.0 22 Feb 2020 Desktop First full release for Windows, MacOS and Linux
v0.1.27-alpha 28 Jul 2019 Desktop Windows only
v0.1.26 16 May 2017 Desktop MacOS and Windows only
0.3.0 14 Mar 2017 Web app  
v0.1.1-alpha 14 Mar 2016 Web app  
Watch Star