OWASP / Threat Dragon Desktop
Projects that are alternatives of or similar to Threat Dragon Desktop
Note that this repository has been migrated from Mike Goodwin's original , which has the issues and pull requests from March 2017 up to June 2020.
OWASP Threat Dragon
Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project and follows the values and principles of the threat modeling manifesto. The roadmap for the project is a great UX, a powerful rule engine and integration with other development lifecycle tools.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what Threat Dragon will achieve:
- designing the data flow diagram
- automatic determining and ranking threats
- suggested mitigations
- entry of mitigations and counter measures
The application comes in two variants, this repository contains the files for the desktop variant:
-
A desktop application: This is based on Electron. There are installers available for both Windows and Mac OSX, as well as rpm and debian packages for Linux. For the desktop variant models are stored on the local filesystem.
-
A web application: For the web application, models files are stored in GitHub (other storage will become available). We are currently maintaining a working protoype in synch with the main code branch.
End user help is available.
Install instructions are here.
In addition to the Threat Dragon graphical user interface, there is a command line interface for scripting and build pipelines.
Screenshots
Here are a few screenshots of the app to give you a feel for what it looks like. First, the welcome screen
The diagramming screen:
And the threat editing screen
Contributing
Pull requests, feature requests, bug reports and feedback of any kind are very welcome, please refer to the page for contributors.
We are trying to keep the test coverage relatively high, so please try to update tests in any PRs and make PRs on the development branch. There are some developer notes in the core threat dragon repo to help get started with this project.
Vulnerability disclosure
If you find a vulnerability in this project please let us know ASAP and we will fix it as a priority. For secure disclosure, please see the security policy.
Project leaders
- Mike Goodwin ([email protected])
- Jon Gadsden ([email protected])