Fill in info on various threat modeling tools

[ZenW00kie]

Found in project/ThreatModelingTools.md for each tool we need the following:

• Status : is it being actively developed (i.e. contributions in the last year), is it stale (i.e. no contributions in the last year), or proprietary (i.e. we can't assess)
• Summary : Short 2-3 sentence summary about the tool
• Advantages : Short 3-5 bullets on what the tool does well
• Limitations: short 3-5 bullets on what the tool is lacking

For both advantages and limitations, it would be good to reference which of our design goals (see project/OVERVIEW.md# Design Goals) are being used/not used. Additionally, for the tools that are labeled as DSLs or UIs, we want to evaluate how expressive they are using a few examples that we have. The first is from a medical device standard ISO 11073 (see attached) Annex E), one of the four examples listed in Adam Shostack's book (again it's in Appendix E, and you can use your Tufts account to access the book here), and then the threat model described in this work from researchers at Queen's.

List of Tools

Diagramming Only

• [ ] draw.io
• [ ] C4
• [x] Mermaid
• [ ] Structurizr
• [x] Diagrams
• [x] PlantUML

  DSLs/Threat Modeling as Code

• [x] pytm
• [ ] MAL
• [ ] Threagile
• [ ] threatcl
• [x] threatspec
• [ ] threat-composer

  UIs

• [ ] IriusRisk
• [x] Threat Dragon
• [ ] Microsoft Threat Modeling Tool
• [ ] Threats Manager Studio
• [x] Theat Modeler
• [ ] Trike
• [ ] Tutamantic
• [ ] ADTool
• [ ] AT-AT
• [ ] Ent
• [ ] SeaMonster
• [ ] IsoGraph
• [ ] SecurITree
• [ ] RiskTree
• [ ] Deciduous
• [ ] Sparta

[ZenW00kie]

@dvotipka probably want to update the evaluation method to be more specific, rather than just the four points I have. Not sure if you have a template, but I know we've looked at this from CMU in the past.

[ZenW00kie]

And if you can't access Adam's book let me know!

[ZenW00kie]

@lisadang04 @esamnesru @giakwon pick three tools each to work through (pick one from each category)