Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project. The focus of the project is on great UX, a powerful rule engine and integration with other development lifecycle tools.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what Threat Dragon will achieve:
- Designing the data flow diagram
- Automatic determining and ranking threats
- Suggested mitigations
- Entry of mitigations and counter measures
The application comes in two variants:
- A web application: For the web application, models files are stored in GitHub (other storage will become available). We are currently maintaining a working protoype in synch with the master code branch.
- A desktop application: This is based on Electron. There are installers available for both Windows and Mac OSX, as well as rpm and debian packages for Linux. For the desktop variant models are stored on the local filesystem.
End user help is available for both variants.
This repository contains the files for the desktop variant.
For the latest versions of code between releases,
npm can be used to install and run Threat Dragon locally:
git clone https://github.com/mike-goodwin/owasp-threat-dragon-desktop
Then to run it:
npm run start
Installers for OSX and Windows can be downloaded from the releases folder. In there you can also find packages for both Debian and Fedora Linux on AMD64 and X86-64bit platforms.