Threat Dragon version 2.0

About

OWASP Threat Dragon

Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. Threat Dragon supports STRIDE1, LINDDUN2, CIA3, DIE4 and PLOT4ai5

It is an OWASP Lab Project and follows the values and principles of the threat modeling manifesto. An introduction to Threat Dragon is provided by the OWASP Spotlight series, and a different take on Threat Dragon is provided by Threat Modeling Gamification.

There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what the Threat Dragon project aims for:

  • designing the data flow diagram
  • automatic determining and ranking threats
  • suggested mitigations
  • entry of mitigations and counter measures

The application comes in two variants:

  1. Web application: The web application can be run from the source or as a container using the docker image. Depending on the configuration the web application can store threat model files on :
    • local filesystem
    • GitHub
    • Bitbucket
    • GitLab
    • Github Enterprise
  2. Desktop application: There are installers available for Windows, Mac OSX and Linux. The model files stored on the local filesystem, repository access is a future enhancement.

The following translations are built into the Threat Dragon application:

  • العربية (ara-SY)
  • Deutsch (deu-DE)
  • English (eng-US)
  • Ελληνικά (ell-GR)
  • español (spa-ES)
  • Suomi; (fin-FI)
  • français (fra-CA)
  • मानक हिन्दी (hin-IN)
  • português (por-BR)
  • 中文 (zho-CN)

Demonstration site

Threat Dragon maintains a Demo Instance that is hosted on Heroku. We strongly recommend using a self-hosted instance or the desktop application as the most secure options.


1: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege

2: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance

3: Confidentiality, Integrity, Availability

4: Distributed, Immutable, Ephemeral

5: Privacy Library Of Threats 4 Artificial Intelligence