Threat modelling is widely regarded as a powerful way to build security into the design of applications early in a secure development lifecycle. At its best, it is especially good for

• Ensuring defence-in-depth
• Establishing consistent security design patterns across an application
• Flushing out security requirements and user stories

OWASP Threat Dragon provides a free, open-source, threat modelling application for teams implementing the STRIDE approach. It can also be used for categorising threats using LINDDUN and CIA. The key areas of focus for the tool is:

• Great UX - using Threat Dragon should be simple, engaging and fun
• A powerful threat/mitigation rule engine - this lowers the barrier to entry for teams and allow non-specialists to contribute
• Integration points with other development lifecycle tools - when implemented this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves

Testers

Easy user experience is one of the key goals for the project and to get that right it needs more users! If you would like to try the tool out, the released versions are on the web application github.

The desktop variant has installers for Linux, Windows and MacOS which be downloaded from the desktop project github.

To help you get started, take a look at the documentaion area.

If you are still having problems, let us know and we will be pleased to help ([email protected] and [email protected]). All feedback is very welcome, so either email us or add an issue on the GitHub repo.

Coding

Coding help of any kind is always welcome. The project builds easily (let us know if you have any problems) so getting up and running should be simple. There are some developer notes in the core threat dragon repo to help get started with this project.

Threat rule engine

If you are not into javascript, you can still help! We want to create a powerful threat generation rule engine to enhance the one that is in place for the early releases. If you can contribute in this area by defining rules, that would be great.

FAQs

• What browsers can be used for Threat Dragon?

• Hold on…isn’t this the same as Mozilla’s SeaSponge?

• Why do the earlier releases come from Mike Goodwin’s repo, not the OWASP repo?

• Why do I get ‘developer can not be verified’ errors after installing on MacOS?

• Can I run Threat Dragon from a command line?

• Is there a command line interface for Threat Dragon?

Mike Goodwin’s initial vision for the project is archived here

Milestone 1: Alpha release - Basic threat modelling experience

• achieved October 2015

Milestone 2: Beta release - Threat/mitigation rule engine

• achieved May 2017 with version 0.1.26

Milestone 3: Release 1.0

• production version released February 2020
• version 1.3.1 was released October 2020

Milestone 4: - Dev lifecycle integration

• Not yet achieved

Version 2.0: planned for late 2021

create a combined application for both webapp and core

1. written in javascript ES6 / ECMAScript 2015 or compatible
2. run on node.js server
3. use express for backend application
4. use Vue for frontend application
5. use mxgraph for the drawing library

create a desktop application

1. use electron to wrap webapp for desktop
2. incorporates webapp as a git submodule, similar to drawio as a submodule for drawio-desktop
3. provide auto-update similar to drawio-desktop

desktop and webbapp should: load models from similar sources to draw.io:

1. github
2. gitlab
3. Google Drive
4. OneDrive
5. Dropbox
6. local filesystem device

allow design files to be backwardly compatible to Threat Dragon json:

• reads json file and converts to mxgraph native xml
• converts from mxgraph native xml and writes as json file

be strictly open source

• avoid using languages or frameworks maintained outside the open source community

Releases