OWASP Threat Dragon: free, open-source, cross-platform threat modeling application
OWASP Threat Dragon
Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project. The focus of the project is on great UX, a powerful rule engine, and integration with other development lifecycle tools.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what Threat Dragon will achieve:
- designing the data flow diagram
- automatic determining and ranking threats
- suggested mitigations
- the entry of mitigations and countermeasures
The application comes in two variants:
- A web application: For the web application, models files are stored in GitHub (other storage will become available). We are currently maintaining a working protoype in synch with the master code branch.
- A desktop application: This is based on Electron. There are installers available for both Windows and Mac OSX, as well as rpm and Debian packages for Linux. For the desktop, variant models are stored on the local filesystem.
End user help is available for both variants.
Here are a few screenshots of the app to give you a feel for what it looks like. First, the welcome screen
The diagramming screen:
And the threat editing screen
Install
Copyright 2016 Mike Goodwin
