Wednesday, May 31, 2017

OWASP Threat Dragon Project Update



OWASP Threat Dragon Project
Project: Leader: Mike Goodwin   Github Link

Threat modelling is a very powerful technique for finding and fixing design-level flaws in applications. It is especially good at promoting defence-in-depth. However, the free tooling that is currently available is limited. OWASP Threat Dragon aims to fix that by providing a free, open source threat modelling tool that
  • Is cross-platform
  • Is easy and enjoyable to use
  • Integrates well with other SDLC tools
  • Has a powerful threat generation rule engine
Although Threat Dragon is an Incubator project, it is progressing well and I hope it will be ready to be promoted to Labs soon. Some highlights of the project so far:
  • The original working prototype has been given a major architecture review. This was my first node.js project and my first significant Angular application so there were quite a few kinks to be straightened out. Also, I completely rethought the model storage approach - originally it was using browser local storage like Mozilla SeaSponge, but this turned out to be problematic in practice.
  • A web application variant that uses GitHub as a backend for storing model files. I have plans to add support for BitBucket and possibly other backends soon. This source control system integration is key to the success of the project IMO and I have lots of plans for deeper and better integration in the future.
  • An installable, cross-platform desktop variant based on Electron and using the local file systems for model storage. This is important for people who use a source control system that is not supported by the web app variant, or for people who want to evaluate the tool without giving it access to their repos. The desktop variant shares >85% of it's code with the web app variant - including most of it's UI. This is critical to make it manageable by a small team (just me at the moment!). The desktop app is still a little rough around the edges compared to the web app (e.g. no auto-update on OSX yet) but it is getting there and most of my effort on the project is going into that at the moment.
  • Good unit test coverage (>90%). Quality is not just for Flagship projects - Incubator projects need it too!
  • A cute logo dragon called Cupcakes :o) (based on an original image by DreamsOfMine)
So what's next for Threat Dragon? Well, firstly, although I think it's progressing well on the first 3 key project aims, that's just my opinion. It needs feedback. Lots of feedback. All feedback is welcome - feature requests, bug reports or comments on any aspect of the project. Secondly, at the moment it can be used for basic threat modelling, but the threat generation engine is just a stub. You have to come up with all the threats yourself. Threat generation is the next major functional area that I plan to tackle - hopefully with some collaborators. Thirdly, did I say I was interested in feedback?


Please give it a try and let me know what you think!  

No comments: