OWASP Threat Dragon

FAQs

• Where are the arrows that allow me to create data flows?

• Why do the earlier releases come from Mike Goodwin’s repo, not the OWASP repo?

• I get failures when installing from source code

• I get a failure when printing a report

• Why do I get ‘OWASP-Threat-Dragon-Setup isn’t commonly downloaded’ warnings after downloading on Windows?

• Why do I get ‘Apple cannot check it for malicious software’ errors after installing on MacOS?

• Why do I get ‘Permissions failure opening Mac desktop app’ when installing from the zip file?

• Why do I get ‘developer can not be verified’ errors after installing on MacOS?

• Can I run Threat Dragon Desktop from a command line?

• Is there a command line interface for Threat Dragon Desktop?

• What browsers can be used for Threat Dragon?

• Hold on…isn’t this the same as Mozilla’s SeaSponge?

• When is Threat Dragon’s birthday? And does Threat Dragon have a theme tune?

Threat Dragon: making threat modeling less threatening

Initiatives

We appreciate greatly all our contributors: without their open-source contributions Threat Dragon would be long-gone.

There are some individuals and teams that have come forward to make an ‘above and beyond’ difference to Threat Dragon, and here they are:

Threat model templates

With the support of Gallagher Security, Ajith Penmatsa (Ajith-Penmatsa-GGL) created a new feature which allows reusable threat-model templates. This is the first step towards providing a set of reusable threats and mitigations, which will provide the sharing of effort and ideas within the global Threat Dragon community.

Integration with EoP Games

A team from the Universidad Católica del Uruguay (UCU) took part in a Coding Challenge to provide integration between Cornucopia and Threat Dragon. In addition they made it extensible so that other EoP-type cards can be integrated into Threat Dragon.

We are very grateful and look forward to more contributions to the open-source community:

• Anthony Pereira (Clarensedor)
• Belén Bulla (bbulla)
• Belén de Oliveira Madeira (beldomadeira)
• Chris Bentancor (ChrisBentancor)
• Diego Gamarra (gamarradiego)
• Emanuel Fraga (FragaEmanuel)
• Gaspar Lamas (gasparlamas)
• Guillermo Guerrico (GuilleGuerrico098)
• Javier Moreno (javiermorenov1203)

and many thanks to Gerardo Canedo (gerardocanedoUCU) for making this happen.

Google Summer of Code 2024

Mohamed El-Bohy (mohamedselbohy) devoted his summer of 2024 to completing the Threat Dragon functionality. When Threat Dragon moved from version 1.x to version 2.x it was not feature complete, and Mohamed implemented these final features for Threat Dragon.

Migration to Vue and antv/x6

Leo Reading (lreading) travelled the long road of migrating Threat Dragon from AngularJS + JointJS to Vue + antv/x6. This ensured that Threat Dragon made it to version 2.x, otherwise Threat Dragon would be swamped with unsupported dependencies.

Threat Dragon: making threat modeling less threatening

Strategic Roadmap

Threat Dragon maintains a strategic roadmap in a public GitHub Discussion. Please join us in defining the direction for Threat Dragon!

Release Log

Threat Dragon creates GitHub Releases for each release. Each release contains the artifacts and the change log.

The latest release is always available on GitHub

Versioning & Release Cadence

Threat Dragon adheres to semantic versioning for all releases. In practice, this means:

• Patch versions include bug/security fixes, with no breaking changes
• Minor versions include new features or functionality, with no breaking changes
• Major versions include breaking changes, major upgrades, etc.

There is no official release cadence at this time. Threat Dragon maintainers create new releases for new features and bugfixes when appropriate.

Major Version Releases

Version 3.0: future initiatives

Version 3 is not well defined at this time. The following features may be included in this future release.

• TM-BOM / Threat model file format

Version 2.0: Modernization

Version 2.0 of Threat Dragon was largely done to exist technical debt and improve the overall maturity of Threat Dragon. Some highlights from this major version:

• Migration from angular to Vue
• Upgraded the diagram library
• Met OpenSSF Best Practices
• Combined frontend with desktop application
• Updated threat model schema
• Implemented end to end testing
• DAST scanning via Zap
• Public demo instance

Version 1.0: Initial Release

Mike Goodwin’s initial roadmap for the project is archived here. The original roadmap had various milestones, most of which were achieved by late 2020.

Milestone 4: Dev lifecycle integration

• Some CLI interface available mid 2020

Milestone 3: Release 1.0

• production version released February 2020
• version 1.3.1 released October 2020

Milestone 2: Beta release: Threat/mitigation rule engine

• achieved May 2017 with version 0.1.26

Milestone 1: Alpha release - Basic threat modelling experience

• achieved October 2015

Threat Dragon: making threat modeling less threatening

Threat model file format

Threat Dragon version 1.x and Threat Dragon version 2.x use closely related but incompatible JSON file formats. In addition both these file formats are arranged around diagram elements used by the graph editing engines: JointJS for version 1.x and AntV/X6 for version2.x. The data model use in the Threat Dragon file format would be better centred round threat model information rather than the data used for the graph editing.

Both Threat Dragon file formats are incompatible with other open source Threat Modeling files such as pytm, Threagile and Open Threat Model.

The intention is to change the model file format in Threat Dragon version 3.x onwards. The goal will be to define a file format that is flexible enough to easily convert from the existing:

• OWASP Threat Dragon versions 1.x and 2.x
• OWASP pytm pythonic threat modeling
• Threagile open-source toolkit for agile threat modeling
• Open Threat Model (OTM) file format

There is an open discussion for suggestions and debate on this subject.

Threat Model Bill of Materials (TM-BOM)

It is very likely that the model file format used from version 3.x will follow the Threat Model Bill of Materials (TM-BOM) schema. This is similar in philosophy to a Software Bill of Materials (SBOM) and is overseen by the CycloneDX organization.

The proof of concept TM-BOM schema is provided by the OWASP Threat Model Library project. An overview of TM-BOM is available in the Threat Dragon documentation.