OWASP Threat Dragon : open-source threat modeling tool from OWASP
Threat modelling is regarded as a potent method for incorporating security into application design at an early stage of the secure development lifecycle. It is most effective when used for:
ensuring depth in the defence
implementing uniform security design patterns throughout an application
releasing user stories and security requirements quickly
For teams using the STRIDE methodology, OWASP Threat Dragon offers a free, open-source threat modelling application. It can also be used to classify threats using the CIA and LINDDUN databases. The tool’s main areas of focus are as follows:
Utilizing Threat Dragon should be easy, interesting, and enjoyable.
A strong threat/mitigation rule engine that lowers entry barriers for teams and allows non-specialists to contribute
When implemented, integration points with other development lifecycle tools will make sure that models fit easily into the development lifecycle and continue to be applicable as the project develops.
Threat Dragon: What is it?
A system diagramming tool and a rule engine to automatically generate threats and mitigations are both included in the free, open-source, cross-platform Threat Dragon application. Threat Dragon was developed by Mike Goodwin as an open source community project that offers a simple and easy way to model threats.
The OWASP Lab Project Threat Dragon upholds the ideals and tenets of the threat modelling manifesto. The OWASP Spotlight series gives a brief overview of Threat Dragon, and Threat Modeling Gamification offers an alternative perspective.
Threat Dragon is compatible with CIA3, STRIDE1, and LINDDUN2.
The OWASP website provides a useful overview of threat modelling and risk assessment, which clarifies the objectives of the Threat Dragon project:
accessible and simple to use
creating data flow diagrams
indicating dangers
introducing countermeasures and mitigations
There are two versions of the application:
a desktop programme: Model files are kept on the local filesystem, and this is based on Electron. For Linux, there are rpm and debian packages as well as installers for both Windows and Mac OS X.
an online application GitHub is where files for the web application model are stored, with additional storage options to come.
1: Privilege elevation, spoofing, tampering, repudiation, information disclosure, and DoS
2: Disclosure of information, Unawareness, Non-compliance, Linkability, Identifiability, Non-repudiation, and Detectability
3: Availability, Integrity, and Confidentiality