search

OWASP / threat-dragon

An open source threat modeling tool from OWASP
https://owasp.org/www-project-threat-dragon/
Apache License 2.0
874 stars 231 forks source link

Support for more granular threats using threat trees #607

Open amad-person opened 1 year ago

amad-person commented 1 year ago

Describe what problem your feature request solves While documenting specific threats, it would be helpful if we could select more granular threats in the Edit Threat modal. For example, LINDDUN and STRIDE both have threat trees corresponding to each threat. The frameworks refer to these trees in their mitigation strategies section, so having this feature would be useful to quickly find the corresponding mitigations. More context is provided below.

Describe the solution you'd like Currently we can select the type of threat in the Edit Threat modal. This type corresponds to the root node of a threat tree. Perhaps there could be an additional drop-down menu below this with options for each of the child nodes in the corresponding threat trees?

Additional context For example, the Linkability threat in LINDDUN has the threat tree shown below. On selecting Linkability in the Edit Threat modal, another dropdown below could have options corresponding to the child nodes in this tree.

diagram showing the linddun linkability threat tree

Source: Linkability Threat Trees

Having this information could then allow us to find the corresponding mitigation strategies from a table like this one:

linddun mitigation strategies

Source: LINDDUN Mitigation Strategies

Thank you!

jgadsden commented 1 year ago

Hello @amad-person This would be a really good feature to have, and has been discussed for as long as I have been with Threat Dragon It would be a large change to TD, and very worthwhile, but at present we have no contributors that can provide the time to do this. If you could provide that effort then it could be done?

amad-person commented 1 year ago

@jgadsden I'll have more time to work on this in a couple of weeks, but in the meantime could you help me confirm that this is the latest setup guide I need to follow for local development?

jgadsden commented 1 year ago

Hello @amad-person - yes, that is the best quick start guide to follow thanks for helping on this

sparticvs commented 1 year ago

I'd really love to see the ability to create attack trees on a per-entity basis, that would be really helpful.

jgadsden commented 1 month ago

Hello @amad-person and @sparticvs - version 2.3 is due to be released next month (August 2024) so I am bumping this back if that is OK with you