Threagile

Agile Threat Modeling Toolkit

Threagile is an open-source toolkit for agile threat modeling:

It allows to model architecture with its assets in an agile fashion as a YAML file directly inside the IDE. Upon execution of the Threagile toolkit, all standard risk rules (as well as individual custom rules if present) are checked against the architecture model.

If we can build software in a reliable, reproducible and quick way at any time using Pipeline-as-Code and have also automated security scans as part of it, how can we quickly capture the risk landscape of agile projects to ensure we didn’t miss an important thing? Traditionally, this happens in workshops with lots of discussion and model work on the whiteboard with boxes, lines, and clouds. It’s just a pity that it often stops then: Instead of a living model, a slowly but surely eroding artifact is created, while the agile project evolves at a faster pace.

In order to counteract this process of decay, something has to be done continuously, something like “Threat-Model-as-Code” in the DevSecOps sense. Threagile implements the ideas behind this approach: Agile developer-friendly threat modeling right from within the IDE using open-source tools. Models editable in developer IDEs and diffable in Git, which automatically derive risks including graphical diagram and report generation with recommended mitigation actions.

Download & Use

Copyright (c) 2020 Christian Schneider (www.Christian-Schneider.net)