OWASP Threat Dragon
note that this page is out of date, see the latest version 1.x documentation
Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. Mike Goodwin created Threat Dragon as an open source community project that provides an intuitive and accessible way to model threats.
Threat Dragon is an OWASP Lab Project and follows the values and principles of the threat modeling manifesto. An introduction to Threat Dragon is provided by the OWASP Spotlight series, and a different take on Threat Dragon is provided by Threat Modeling Gamification.
Threat Dragon supports STRIDE1, LINDDUN2 and CIA3.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what the Threat Dragon project aims for:
- ease of use and accessible
- designing a data flow diagram
- suggesting threats
- entering mitigations and counter measures
The application comes in two variants:
- A desktop application: This is based on Electron, with model files stored on the local filesystem. There are installers available for both Windows and Mac OSX, as well as rpm and debian packages for Linux.
- A web application: For the web application model files are stored in GitHub, with other storage methods to follow.
1: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege
2: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance
3: Confidentiality, Integrity, Availability