Anthropic-Cybersecurity-Skills performing-threat-modeling-with-owasp-threat-dragon

Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies,

install

source · Clone the upstream repo

git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/performing-threat-modeling-with-owasp-threat-dragon" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-performing-threat-modeling-with-owasp-th && rm -rf "$T"

manifest: skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md

source content

Performing Threat Modeling with OWASP Threat Dragon

Overview

OWASP Threat Dragon is an open-source threat modeling tool that enables security teams and developers to create threat model diagrams, identify threats using established methodologies (STRIDE, LINDDUN, CIA, DIE, PLOT4ai), and generate comprehensive reports. Threat Dragon runs as both a web application and desktop application (Windows, macOS, Linux), supporting distributed teams working collaboratively on threat models. Version 2.x provides drag-and-drop diagram creation, an auto-generation rule engine for threats and mitigations, and PDF report output for documentation and GRC compliance.

When to Use

When conducting security assessments that involve performing threat modeling with owasp threat dragon
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

Prerequisites

OWASP Threat Dragon desktop application or web instance
Understanding of data flow diagram (DFD) notation
Familiarity with STRIDE or LINDDUN threat classification
Application architecture documentation and network diagrams
Stakeholder access for design review sessions

Threat Modeling Methodologies

STRIDE

Category	Threat Type	Description	Example
S	Spoofing	Impersonating a user or system	Stolen session tokens
T	Tampering	Modifying data in transit or at rest	SQL injection altering records
R	Repudiation	Denying an action occurred	Missing audit logs
I	Information Disclosure	Exposing sensitive data	API returning excessive fields
D	Denial of Service	Making a service unavailable	Resource exhaustion attack
E	Elevation of Privilege	Gaining unauthorized access	Broken access control

LINDDUN (Privacy-Focused)

Category	Threat Type	Description
L	Linkability	Associating data items across contexts
I	Identifiability	Identifying an individual from data
N	Non-repudiation	Inability to deny an action (privacy risk)
D	Detectability	Determining if data about a subject exists
D	Disclosure	Exposing personal information
U	Unawareness	User unaware of data collection
N	Non-compliance	Violating privacy regulations

Workflow

Step 1 --- Install Threat Dragon

Desktop Application: Download the installer from the OWASP Threat Dragon releases page for Windows (.exe), macOS (.dmg), or Linux (.AppImage/.deb/.rpm).

Web Application (Docker):

docker run -p 3000:3000 \
  -e ENCRYPTION_JWT_SIGNING_KEY=$(openssl rand -hex 32) \
  -e ENCRYPTION_JWT_REFRESH_SIGNING_KEY=$(openssl rand -hex 32) \
  -e ENCRYPTION_KEYS='[{"isPrimary":true,"id":0,"value":"'$(openssl rand -hex 16)'"}]' \
  -e NODE_ENV=production \
  owasp/threat-dragon:latest

Step 2 --- Define the Scope

Before creating diagrams, document the scope:

System name and description
Assets being protected (user data, credentials, payment info)
External dependencies (third-party APIs, cloud services)
Compliance requirements (GDPR, HIPAA, PCI DSS)
Trust boundaries (network segments, authentication zones)

Step 3 --- Create Data Flow Diagrams

In Threat Dragon, create a new threat model and add diagrams using the following DFD elements:

Processes: Applications, microservices, API endpoints that transform data. Represented as circles/rounded rectangles.

Data Stores: Databases, file systems, caches, message queues that persist data. Represented as parallel lines.

External Entities: Users, external systems, third-party services outside the trust boundary. Represented as rectangles.

Data Flows: Communication channels between elements showing data direction. Represented as arrows with labels describing the data.

Trust Boundaries: Dashed lines separating zones of different trust levels (internet/DMZ/internal network, user/admin).

Step 4 --- Identify Threats

For each DFD element, apply the STRIDE methodology:

Element Type	Applicable STRIDE Categories
External Entity	Spoofing, Repudiation
Process	Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
Data Store	Tampering, Information Disclosure, DoS
Data Flow	Tampering, Information Disclosure, DoS

Threat Dragon's rule engine automatically suggests threats based on element types. Review each suggestion and mark as:

Mitigated: Existing controls address the threat
Not Applicable: Threat does not apply to this context
Open: Threat needs to be addressed (assign priority and owner)

Step 5 --- Define Mitigations

For each open threat, document:

Mitigation strategy (prevent, detect, respond, transfer)
Specific technical controls (encryption, authentication, rate limiting)
Owner responsible for implementation
Priority and timeline for remediation

Step 6 --- Generate Reports

Threat Dragon produces PDF reports containing:

Executive summary of the threat model
Data flow diagrams with annotations
Threat inventory with severity ratings
Mitigation status and recommendations
Compliance mapping where applicable

Step 7 --- Integrate into SDLC

Conduct threat modeling during the design phase of new features
Update threat models when architecture changes occur
Review threat models during security design reviews
Store threat model files in version control alongside code
Reference threat model findings in security acceptance criteria

Threat Model File Format

Threat Dragon uses JSON format for threat models, enabling version control and programmatic manipulation:

{
  "version": "2.2.0",
  "summary": {
    "title": "E-Commerce Application",
    "owner": "Security Team",
    "description": "Threat model for the checkout flow"
  },
  "detail": {
    "contributors": [
      {"name": "Security Architect"}
    ],
    "diagrams": [
      {
        "id": 0,
        "title": "Checkout Flow",
        "diagramType": "STRIDE",
        "cells": []
      }
    ]
  }
}

CycloneDX TMBOM Integration

Threat Dragon participates in the CycloneDX Threat Model Bill of Materials (TMBOM) effort, enabling export to a common format that can be consumed by other threat modeling tools and GRC platforms, preventing vendor lock-in.

Best Practices

Start simple: Begin with high-level DFDs (Level 0) before decomposing into detailed diagrams
Involve developers: Include development team members in threat modeling sessions for realistic threat assessment
Time-box sessions: Limit initial sessions to 90 minutes; iterate in follow-up sessions
Prioritize by risk: Use severity ratings (Critical, High, Medium, Low) to prioritize mitigations
Living documents: Treat threat models as living documents that evolve with the system
Automate where possible: Use the rule engine for initial threat generation, then refine manually