jgadsden
commented
11 months ago Hello @peterdew - thanks for raising this point. What we implement is STRIDE per Element, which follows this table:
According to the type of diagram (STRIDE, LINDDUN and CIA), Threat Dragon will restrict the threat type according to the element chosen. If you find this too restrictive then change the diagram type to ‘Generic’ and this will allow you to select any threat type for any type of element; you can always change the diagram back to STRIDE, LINDDUN or CIA later on.
I think it is good that the documentation is changed to emphasis this, probably on this page: https://owasp.org/www-project-threat-dragon/docs-2/threats/
Atharva-Kanherkar
Describe the bug: In the Threat Dragon tool, while trying to add a new threat to a dataflow, I noticed that I can only select from three STRIDE types (Tampering, Information disclosure, Denial of Service) instead of the expected six STRIDE threat types.
Expected behaviour: When adding a new threat, I expect to see all six STRIDE threat types (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege) available for selection.
Environment:
Version: 2.0.9 Platform: DesktopApp OS: Windows 10 Browser: NVT
To Reproduce:
Open the Threat Dragon tool. Navigate to the section to add a new threat to a dataflow. Click on the STRIDE type dropdown. Observe that only three types (Tampering, Information disclosure, Denial of Service) are available for selection.
Any additional context, screenshots, etc: I've attached a screenshot showcasing the issue.