Threat Dragon – Online Threat Modelling Tool from OWASP

Threat Dragon is a free, open-source, cross-platform threat modelling application including system diagramming and a threat rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project. The focus of the project is on great UX, a powerful rule engine and integration with other development lifecycle tools.

Threat Dragon - Online Threat Modelling Tool from OWASP
Threat Dragon – Online Threat Modelling Tool from OWASP

Threat modelling is widely regarded as a powerful way to build security into the design of applications early in the development lifecycle. At its best, it is especially good for:

  • Ensuring defence-in-depth
  • Establishing consistent security design patterns across an application
  • Flushing out security requirements and user stories

The application comes in two variants:

  1. A web application: For the web application, models files are stored in GitHub (other storage will become available).
  2. A desktop application: This is based on Electron. There are installers available for both Windows and Mac OSX, as well as rpm and debian packages for Linux. Note that for the desktop variant the models are stored on the local filesystem rather than a remote repository.

End user help is available for both variants.

Threat Dragon uses GitHub to store threat models, so you need to go to your GitHub account and register it as a GitHub application. Once you have done that you need to set the Client ID and Client Secret as environment variables (GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET).

You can read more and use this tool over here: https://github.com/mike-goodwin/owasp-threat-dragon

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments