Cross-platform, open source utility aims to simply the risk assessment process
The Open Web Application Security Project (OWASP) has released an installable desktop variant of Threat Dragon, its popular threat modeling application.
The free and open source Threat Dragon tool includes system diagramming and a rule engine to automatically determine and rank security threats, suggest mitigations, and implement countermeasures.
The newly launched desktop version is based on Electron. There are installers available for both Windows and macOS, as well as RPM and Debian packages for Linux. Models are stored on the local file system.
There’s also a web application, with model files stored in GitHub – other storage is planned for the future – and OWASP says it is currently maintaining a working prototype in sync with the master code branch.
“It’s not intended to be a tool reserved solely for security professionals,” Mike Goodwin, Threat Dragon project leader and co-founder of the Newcastle, UK, chapter of OWASP, tells The Daily Swig.
“It is intended to be used by software development teams – that includes developers, testers, user experience specialists, and operations people.”
Goodwin added: “The user experience is intended to be simple and engaging. Going forward, we are aiming to make it easy to integrate into the normal development lifecycle, although that is not very well developed at the moment.”
Practical use cases
According to OWASP, threat modeling is widely regarded as a “powerful way to build security into the design of applications early in the development lifecycle”, forming part of an organization’s defense-in-depth strategy.
The project maintainers are currently looking for feedback on the desktop version – and it seems to be getting a good reception.
“There is a lot of positive interest from people,” says Goodwin. “I think the fact that it is open source appeals to people. Threat modeling seems to be a popular activity in general – I’ve blogged and spoken about it and it usually gets a lot of interest.
“The reaction to the user experience in Threat Dragon is mixed, but mostly positive. Obviously, it is still an early stage project, and the team maintaining it is quite small, so turnaround on bugs and feature requests could be better.”
There are some issues in the desktop version, including the appearance of a blank screen when a model is saved. Godwin says this is a known bug and should be resolved soon.
“For me, the main immediate issues are the lack of auto-update on the desktop application and the lack of an ‘undo’ when editing diagrams,” he says. “I’m also concerned about the excessive GitHub permissions needed by the web variant of the tool.”
Moving forward, Goodwin outlined plans to integrate Threat Dragon with other software lifecycle tools and processes.
The first step for the web variant, he says, will be to store the models with source code, as only GitHub is supported at the moment.
“This should be a platform for some good lifecycle integrations. One simple example would be to have CI/CD policies that will fail a build if the threat model is not up-to-date, or if there are new, unmitigated threats,” he says.
“The aim of this is to prevent threat models becoming documents that are done once and then ignored. They should be living, breathing documents.”