Shostack + Friends Blog

 

Threat Modeling Tooling from 2017

[no description provided] a magic hammer

As I reflect back on 2017, I think it was a tremendously exciting year for threat modeling tooling. Some of the highlights for me include:

  • OWASP Threat Dragon is a web-based tool, much like the MS threat modeling tool, and explained in Open Source Threat Modeling, and the code is at https://github.com/mike-goodwin/owasp-threat-dragon. What's exciting is not that it's open source, but that it's web-driven, and that enables modern communication and collaboration in the way that's rapidly replacing emailing documents around.
  • Tutamen is an exciting tool because it's simplicity forced me to re-think what threat modeling tooling could be. Right now, you upload a Visio diagram, and you get back a threat list in Excel, covering OWASP, STRIDE, CWE and CAPEC. If Threat Dragon is an IDE, Tutamen is a compiler.
  • We're seeing real action in security languages. Fraser Scott is driving an OWASP Cloud Security project to create structured stories about threats and controls. If Tutamen is a compiler, this project lets us think about different include files. (The two are not yet, and may never be, integrated.) And closely related, Continuum Security has a BDD-Security project [link to https://www.continuumsecurity.net/bdd-security/ no longer works]
  • Continuum's also doing interesting work with IriusRisk [link to https://www.continuumsecurity.net/threat-modeling-tool/ no longer works], which they describe as "a single integrated console to manage application security risk throughout the software development process." If the tools above are about depth, IriusRisk is about helping large organizations with breadth.

Did you see anything that was exciting that I missed? Please let me know in the comments!