Teaching Cyber Blog

So, DevSecOps Threat Modelling Tools, Which One To Use?

Threat modelling is a thought process to identify potential security risks.  Ideally this is done as early as possible within the software development lifecycle and at the design stage.  Threat modelling meetings should be engaging and not long winding, with a clear end and with no recurring meetings unless there is a significant change in the design.  Threat modelling meetings require attendees not only from security, but also developers, support teams, manager and testers. Supporting tools may be used to aid capturing the threat model.  This is not an endorsement of any particular product

Excel, yes the humble spreadsheet can be used to create your own free threat model, using fields applicable to your own organisation and also fields commonly associated with threat model frameworks.  This lets you create simple through to complicated threat model templates you can reuse.

Microsoft Threat Modeling Tool is a free software created my Microsoft, it allows you to identify, and mitigate potential security risk. It allows users to create threat models, document the potential threat scenarios, and generate reports. It integrates with Visual Studio. https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

OWASP Threat Dragon is a free software created by OWASP, it is open source, cross platform and allows users to draw out threat models diagrams. https://owasp.org/www-project-threat-dragon/

IriusRisk is a commercial software. It supports different threat modelling methodologies https://www.iriusrisk.com/

Python Threat Modeling is free software, it is an open-source library.  It consists of a set of Python scripts and modules to create threat models programmatically. https://github.com/izar/pytm

ThreatModeler is a commercial software for threat modelling. It integrates with other security tools and issue trackers. https://threatmodeler.com/threatmodeler-6-0/

Threagile is a free software, open source, for threat modelling with tutorials on performing a threat model. https://threagile.io

Overall if threat modelling is a new process for you and your organisation then it is highly recommended to keep the overall process agile, light and not be too much of a burden for the stakeholders.  Encourage and praise non-security colleagues for contributions.  Use tools and software that is familiar to the widest user base possible, investing a large amount on license fees for software colleagues will not adopt may be embarrassing for the security team.  Of course there are numerous articles and books on this subject, learn the process with less focus on the tool.