Thank you for joining us at our 20th Anniversary Event! All sessions were recorded and will be posted in the coming weeks on the OWASP YouTube channel.

We have been working hard to secure the world through challenges and discovery. And now, it’s time to celebrate! Many of you have played a crucial role in the Foundation’s enduring history, and we encourage you to participate in the celebration coming this September! Our theme, Securing the Next 20 Years, is encouraging and exciting as we look ahead to the next 20 years!

Join us for FREE at this live 24-hour global event as we honor the past, celebrate the present, and embrace the future of OWASP and cybersecurity. Hear from world-renowned keynotes and special speakers, and network with your peers. It is FREE to attend, however, registration IS required, to gain access to the session links.

Back To Schedule
Friday, September 24 • 10:00am - 10:30am
Agile Threat Modeling with Open-Source Tools

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
How can we quickly capture the risk landscape of agile projects to ensure we didn't miss an important thing? Traditionally, this happens in workshops with lots of discussion and model work on the whiteboard. It's just a pity that it often stops then: Instead of a living threat model, a slowly but surely eroding artifact is created, while the agile project evolves at a faster pace.

In order to counteract this process of decay, something has to be done continuously, something like "Threat-Model-as-Code" in the DevSecOps sense. The open-source tool Threagile implements the ideas behind this approach: Agile developer-friendly threat modeling right from within the IDE. Models editable in developer IDEs and diffable in Git, which automatically derive risks including graphical diagram and report generation with recommended mitigation actions.

The open-source Threagile toolkit runs either as a command line tool or a full-fledged server with a REST-API: Given information about your data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of over 40 built-in risk rules (and optionally your custom risk rules) against the processed model. The resulting artifacts are diagrams, JSON, Excel, and PDF reports about the identified risks, their rating, and the mitigation steps as well as risk tracking state.

Agile development teams can easily integrate threat modeling into their process by maintaining a simple YAML input file about their architecture and the open-source Threagile toolkits handles the risk evaluation. 

avatar for Christian Schneider

Christian Schneider

Freelancer, Christian Schneider
Christian has pursued a successful career as a freelance Java software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian... Read More →

Friday September 24, 2021 10:00am - 10:30am EDT