OWASP Threat Dragon

cupcake logo

What is Threat Dragon?

OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application.

Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.

Resources

Use the version 1 or version 2 documentation to get started, along with the recording of Mike Goodwin giving a lightning demo during the OWASP Open Security Summit in June 2020.

An introduction to Threat Dragon is provided by the OWASP Spotlight series, and the Threat Modeling Gamification seminar by Vlad Styran shows how using Threat Dragon can make threat modeling fun.

There are a couple of OWASP community pages that give overviews on Threat Modeling and how to get started: Threat Modeling and Threat Modeling Process.

The easiest way to get in contact with the Threat Dragon community is via the OWASP Slack #project-threat-dragon project channel, you may need to subscribe first.


Threat modeling is widely regarded as a powerful way to build security into the design of applications and systems early in a secure development lifecycle. At its best, threat modeling is especially good for:

  • Ensuring defence-in-depth
  • Establishing consistent security design patterns across an application
  • Flushing out security requirements and user stories

OWASP Threat Dragon provides a free, open-source, threat modeling application that is powerful and easy to use. It can be used for categorising threats using STRIDE, LINDDUN CIA, DIE and PLOT4ai. The key areas of focus for the tool is:

  • Simplicity - you can install and start using Threat Dragon very quickly
  • Flexibility - the diagramming and threat generation allows all types of threat to be described
  • Accessibility - different types of teams can benefit from Threat Dragon’s simplicity and flexibility

Threat Model File (TMF) format

Threat Dragon version 1.x and Threat Dragon version 2.x use closely related but incompatible JSON file formats. In addition both these file formats are arranged around diagram elements used by the graph editing engines: JointJS for version 1.x and AntV/X6 for version2.x. The data model use in the Threat Dragon file format would be better centred round threat model information rather than the data used for the graph editing.

Both Threat Dragon file formats are incompatible with other open source Threat Modeling files such as pytm, Threagile and Open Threat Model.

The intention is to change the model file format in Threat Dragon version 3.x onwards. The goal will be to define a schema that is flexible enough to easily convert from the existing:

There is an open discussion for suggestions and debate on this subject.


FAQs


Version 2.3: in progress

  • provide an API for CI/CD pipelines
  • provide a CLI for scripting based on TD’s existing use of yargs
  • provide multiple methods of authentication and access similar to draw.io login page
  • automated threats (both by element and by OATS)

Version 2.2: released February 2024

Threat model access for web app:

  • load models from various repos :
    • github enterprise
    • gitlab
    • github enterprise
    • BitBucket

Version 2.1: released October 2023

Stable version of 2.x.x with bug fixes and usable diagram tools. Still not feature complete:

  • missing CLI for scripting based
  • missing automated threats (both by element and by OATS)

Version 2.0: released February 2023

migrate to a combined application for both desktop and webapp:

  • be strictly open source
  • use Vue for frontend application
  • use @antv/g6 for the drawing library
  • frontend logging using bunyan and optional logging to the console during development
  • use electron to wrap webapp for desktop
  • provide auto-update using electron
  • expand electron unit tests using WDIO Electron Service
  • webapp unit test framework Jest
  • component test Vue testing library
  • end-to-end test cypress
  • set up ZAP to provide security testing on commit
  • design files are to be backwardly compatible to Threat Dragon json

demonstration pages:

  • an online demonstration to be provided on threat dragon’s site
  • demo should either be a snapshot or a release version

Version 1.4: released May 2021

  • written in javascript ES6 / ECMAScript 2015 or compatible
  • run on node.js server
  • use express for backend application
  • provide a dockerfile for running in docker, similar to existing TD
  • static code analysis using ESLint
  • webapp test runner Karma with Jasmine for Vue Test Utils
  • backend unit test framework MochaJS and assertions from chai
  • bundle the application and api for production using webpack
  • be strictly open source, avoiding using languages or frameworks maintained outside the open source community

documentation:

  • documentation should be updated at the threat dragon github pages
  • version 1.x docs are preserved and migrated to version 2.0
  • docs should be static pages based on Jekyll and markdown

Previous versions

Mike Goodwin’s initial roadmap for the project is archived here. The original roadmap had various milestones, most of which were achieved by late 2020.

Milestone 4: Dev lifecycle integration

  • Some CLI interface available mid 2020

Milestone 3: Release 1.0

  • production version released February 2020
  • version 1.3.1 released October 2020

Milestone 2: Beta release: Threat/mitigation rule engine

  • achieved May 2017 with version 0.1.26

Milestone 1: Alpha release - Basic threat modelling experience

  • achieved October 2015

Releases

Release Date Location Comments
v2.3 Dec 2024 github suggest threats by element and threats by context, builds for ARM64 platforms and google sign-in feature
v2.2 Feb 2024 github add GitLab support and user prompt to save model when quitting
v2.1.3 Jan 2024 github bug fix for desktop menu discarding diagram edits, add schema for Open Threat Modeling (OTM)
v2.1.2 Nov 2023 github add Bitbucket access, PLOT4ai threats and bug-fix for data-flows overwriting properties
v2.1.1 Oct 2023 github desktop version provides guard advising of overwriting threats changes
v2.1 Oct 2023 github desktop version provides guard advising of overwriting diagram changes
v2.0.9 Oct 2023 github names for diagram data flow and trust boundary curves preserved when unselected
v2.0.8 Oct 2023 github diagram component properties correctly displayed when selecting new component
v2.0.7 Sep 2023 github fix bug when selecting trust boundary curves
v2.0.6 Sep 2023 github ability to filter Github repos; translation for Finnish; improve data flow selection and handling
v2.0.4 Aug 2023 github various bug fixes;
v2.0.2 Apr 2023 github collection of bug fixes; PDF report button, threat IDs fixed, reporting expanded
v2.0 Feb 2023 github substantial rewrite for new drawing library @antv/g6
v1.6.1 Mar 2022 github Docs now moved to the new site
Last release of 1.x before version 2.0
v1.6 Dec 2021 github Automated threat and context threat generation
v1.5.8 Sep 2021 github Shows ‘NA’ threats as completed/ mitigated
Fixes bug in threat engine (web app only)
Signed binaries for Windows
v1.5.5 Sep 2021 github MacOS images are signed and notarized
Linux Snap image available as snapcraft distribution
v1.4 5 May 2021 github Provides dotenv for environment variables
updates to docker image
substantial code reorganisation
v1.3.1 26 Oct 2020 Web app
Desktop
update documentation link to point to new docs page
v1.3 3 Sep 2020 Web app
Desktop
support for LINDDUN and CIA as well as STRIDE
and desktop command line interface
v1.2 14 Apr 2020 Web app
Desktop
description for diagram elements
label applied to boundaries
save button always enabled
zoom functionality disabled
hot key copy and paste for diagram elements
v1.1 15 Mar 2020 Web app Duplicate element/diagram feature
v1.1 10 Mar 2020 Desktop Bug fix for blank screen on new model,
and duplicate element/diagram feature
v1.0 22 Feb 2020 Desktop First full desktop release for Windows, MacOS and Linux
v0.1.27-alpha 28 Jul 2019 Desktop Windows desktop only
v0.1.26 16 May 2017 Desktop MacOS and Windows desktop only
0.3.0 14 Mar 2017 Web app alpha release
v0.1.1-alpha 14 Mar 2016 Web app alpha release