Threat modeling is a crucial but often neglected part of developing, implementing and operating any system. If you have no mental model of a system or its strengths and weaknesses it is extremely difficult to secure it correctly.
In an effort to help make threat modeling easier a Mozilla Winter of Security (MWOS) team has developed Seasponge, a browser-based graphical threat modeling tool. Written specifically for the browser environment, the tool requires no special addons or plugins and allows one to quickly and easily diagram a system and its data flows and begin the important work of focusing on threats.
A demo is worth a thousand meetings and the team of Joel Kuntz, Sarah MacDonald, Glavin Wiechert, Mathew Kallada and professor Dr. Pawan Lingras from Saint Mary’s University in Halifax, Nova Scotia has been generous enough to put together a video explaining the project along with a quick demo:
The code for the project is available on github. A working client is continually posted here for you to try out. Have a look at it and if you spot a bug, or see a feature you’d like please contribute by filing a github issue or even better, by sending a pull request!