OWASP Threat Dragon
Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. Threat Dragon supports STRIDE1, LINDUN2 and CIA3.
It is an OWASP Incubator Project and follows the values and principles of the threat modeling manifesto. The roadmap for the project is a great UX, a powerful rule engine and integration with other development lifecycle tools.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what the Threat Dragon project aims for:
- designing the data flow diagram
- automatic determining and ranking threats
- suggested mitigations
- entry of mitigations and counter measures
The application comes in two variants:
A desktop application: This is based on Electron, with model files stored on the local filesystem. There are installers available for both Windows and Mac OSX, as well as rpm and debian packages for Linux.
A web application: For the web application model files are stored in GitHub, with other storage methods to follow.
1: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege
2: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance
3: Confidentiality, Integrity, Availability