Threat models help application developers answer some fundamental questions about potential risks and how to cut off vulnerabilities before they’re put into production. Some software development lifecycles, however, don’t include threat modeling as part of the code-building process because they’ve either never heard of it, or the process is too difficult.
Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design.
The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so.
“We hope now that it’s out there that people collaborate, build threats for it, collaborate and share files and grow a threat modeling community around Seasponge,” said Glavin Wiechert, one of the students behind the tool along with Joel Kuntz, Sarah MacDonald and Mathew Kallada. “We hope this tool is easy to start out with and will ultimately accelerate the usage of threat modeling and the number of people using threat modeling for projects.”
Wiechert, a full-time student at St. Mary’s who also runs his own analytics company, came into this project without much of a security background, other than an interest in the discipline. He and his colleagues, as well as Mozilla, hope that Seasponge ultimately has a place alongside Microsoft’s free SDL threat modeling tool, the most popular tool among developers today.
“The original idea came from Mozilla to have a tool like this,” Wiechert said. “There was a heavy demand from their users within Mozilla to use something like the Microsoft threat modeling tool, but have it be more open source and Web-based, and not be forced to be just on the Windows platform.”
Being a Web-based alternative to the Microsoft tool, the developers hope that with it now being open source, contributions can be made to help them reach their goals of adding more collaboration features, cloud-based storage for projects, encapsulation of entire systems, and more.
“One of the big eye openers for me was the lack of development in terms of the only competition was the Microsoft tool,” Wiechert said. “No one dove into a web platform for threat modeling. I wasn’t very experienced in the field, but it is an important one. I expected more competition and a community, and we hoped to be part of it, but it was really Microsoft-centric.”
Wiechert said Mozilla is among the early beta testers and is putting Seasponge through its paces.
“It’s functional and you can make new threats in the tool, open, download and save files, visualize them; all the attributes work,” he said. “It’s also functional from a visualization standpoint. I’m hoping Mozilla is using it right now and soon anyone else in the community. We’re hoping to get feedback from the threat modeling community and we’re interested to hear any ideas.”