AI-powered threat model generation from Data Flow Diagrams using OWASP Threat Model Library
A comprehensive tool that automatically analyzes Data Flow Diagrams (DFDs) and generates detailed threat models using OWASP threat patterns and STRIDE methodology.
- Interactive DFD Builder: Visual interface to define your system architecture
- Automated Threat Detection: Uses OWASP threat patterns to identify vulnerabilities
- STRIDE Analysis: Comprehensive security threat categorization
- Multiple Export Formats: JSON and CSV exports for integration with other tools
- Detailed Reports: Executive summaries and mitigation recommendations
- Real-time Validation: DFD validation with security warnings
- Severity Classification: Threats categorized by risk levels (Critical, High, Medium, Low)
- Node.js 16+
- npm or yarn
# Clone the repository
git clone https://github.com/islamoc/dfd-threat-model-generator.git
cd dfd-threat-model-generator
# Install dependencies
npm install
# Start the server
npm startThe application will be available at http://localhost:3000
- Enter your project name and description
- Add system elements (Actors, Processes, Data Stores, External Entities)
- Define data flows between elements
- Mark flows carrying sensitive data
- Specify communication protocols
- Click "Generate Threat Model" button
- The system analyzes your DFD against OWASP threat patterns
- Threats are automatically identified and categorized
- All Threats Tab: Complete list of identified threats
- By Severity Tab: Threats grouped by risk level
- By STRIDE Tab: Threats categorized by STRIDE classification
- Report Tab: Executive summary with recommendations
- Export threat model as JSON for tool integration
- Export as CSV for spreadsheet analysis
- Print detailed reports
server.js # Express API server
src/
βββ threatGenerator.js # Threat identification and analysis
βββ threatLibrary.js # OWASP threat patterns database
βββ dfdValidator.js # DFD validation logic
public/
βββ index.html # UI interface
βββ app.js # Frontend logic
{
"id": "dfd_123",
"name": "E-Commerce Platform",
"description": "Online shopping system",
"elements": [
{
"id": "elem_1",
"name": "Web Server",
"type": "process",
"trustLevel": "trusted"
}
],
"dataflows": [
{
"id": "df_1",
"name": "User Login",
"from": "elem_user",
"to": "elem_server",
"protocol": "HTTPS",
"hasSensitiveData": true,
"isEncrypted": true
}
]
}Threat Model uses STRIDE for threat categorization:
- Spoofing: Identity spoofing attacks
- Tampering: Data modification attacks
- Repudiation: Denial of actions
- Information Disclosure: Data exposure
- Denial of Service: System unavailability
- Elevation of Privilege: Unauthorized access escalation
The tool uses threat patterns from:
GET /api/health
GET /api/threats/library # Get library metadata
GET /api/threats/patterns/:type # Get patterns by element type
POST /api/dfd/validate # Validate DFD structure
POST /api/threats/generate # Generate threat model from DFD
POST /api/reports/threat-analysis # Generate detailed report
POST /api/export/json # Export threat model
- Input Validation: All DFD inputs validated against schema
- CORS Protection: Cross-Origin Resource Sharing configured
- Threat Mitigation: Recommended mitigations for each threat
- Trust Boundaries: Support for defining security boundaries
- Encryption Detection: Identifies unencrypted data flows
The system identifies threats such as:
- Man-in-the-Middle Attacks: On unencrypted HTTP flows
- SQL Injection: In database interactions
- Privilege Escalation: In process-based components
- Data Exposure: On sensitive unencrypted dataflows
- Broken Authentication: In actor interactions
- Business Logic Bypass: In process components
- Actor/User: External users or actors
- Process: Business logic components
- Data Store: Databases or file systems
- External Entity: Third-party systems
# Run tests (when implemented)
npm test- express: Web framework
- cors: Cross-origin resource sharing
- uuid: Unique ID generation
- jsonschema: Schema validation
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
Found a bug? Please open an issue with:
- Description of the problem
- Steps to reproduce
- Expected vs actual behavior
- System information
MIT License - see LICENSE file for details
Mennouchi Islam Azeddine
- GitHub: @islamoc
- Email: azeddine.mennouchi@owasp.org
- LinkedIn: Profile
- OWASP Foundation for threat modeling resources
- OWASP Threat Model Library for threat patterns
- Microsoft Threat Modeling Tool for methodology inspiration
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: See
/docsfolder
- Integration with Threat Dragon
- AI-powered threat suggestions
- Custom threat library management
- Real-time collaboration
- Risk scoring engine
- Compliance mapping (GDPR, HIPAA, etc.)
- Docker containerization
- GraphQL API
- Threat Patterns: 20+ OWASP patterns
- Element Types: 6 supported types
- Export Formats: JSON, CSV, PDF (planned)
- Risk Levels: 4 severity classifications
Made with β€οΈ for the security community