Draw.io for threat modeling

Posted October 05, 2018

I've spent a good amount of time lately trying to find a good tool for threat model diagramming. I defined a couple of requirements and started assessing what was out there:

I checked out quite a lot of different tools but none of them fulfilled the requirements. Many didn't have elements for DFDs and Attack Trees, Microsoft Threat Modeling Tool only runs on Windows, Threat Modeler is web based, Threat Dragon felt awkward to work with, and Dia is old, clunky and buggy.

I was pretty dissapointed with what I found, so I scratched my own itch and started work on a new Electron based app which I hoped would be the perfect fit for me, and hopefully many others. Doing the initial research for this, I came across the mxgraph project which seemed to be the perfect core diagramming component. Then I saw that it was used as part of a tool called draw.io and that luckily turned out to be the perfect fit, with a bit of configuration and customization...

DFD and Attack Trees in draw.io

Draw.io doesn't come with dedicated libraries for DFDs and attack trees, but it has all the elements. They are just spread across several different libraries. After playing around with the tool for a bit, I discovered that it's super easy to customize elements and adding them to custom libraries which can be exported for easy reuse. I created two new libraries with all you need for DFD and attack trees and put them up on Github.

Data Flow Diagrams

These are the elements available in the dfd.xml library:

All elements in the DFD library.

Apart from the classic DFD elements, the library also contains a note element, labels for assets, threat actors, security controls, and convenient tables for documenting them directly in the diagram.

To show you how it all works together, I've created a diagram of a simple, ficticious system:

A DFD of a simple, ficticious system.

Attack Trees

These are the elements available in the attack-tree.xml library:

All elements in the DFD library.

To show you how these work together, I have recreated the classic Open Safe attack tree:

An attack tree exploring how to open a safe.

Getting set up

Getting draw.io set up for threat modeling is very easy:

  1. Download and install draw.io for your operating system
  2. Clone or download the Github repository
  3. Open draw.io application and create a new blank diagram
  4. Click the File menu and then click Open Library...
  5. Navigate to where you put the Github repository and open one of the XML files

Congratulations! You are now ready to threat model. To make draw.io even nicer, I can recommend turning on the Minimal theme by clicking the Extras menu and selecting the Minimal theme. This makes the UI cleaner and gives more space for actual diagramming.

I hope that you will find this helpful and make it easier and more joyful to threat model for you and your team.