14 DAY TRIAL // A web-based threat modeling tool was developed by undergraduate students at St. Mary’s University in Nova Scotia, Canada, as part of Mozilla’s Winter of Security project in 2014.
Called Seasponge, the instrument aims at allowing better visualization of the systems and the data flow between them, pinpointing potential security risks.
Diagrams and visualization of the entire system
The tool is open source and has been released on GitHub, where feedback and suggestions are expected by the three students (Sarah MacDonald, Joel Kuntz, and Glavin Wiechert) that developed it.
“Written specifically for the browser environment, the tool requires no special addons or plugins and allows one to quickly and easily diagram a system and its data flows and begin the important work of focusing on threats,” a description from Mozilla reads.
Visualization of the relation between the components of a system can help determine potential security risks (such as security threats with different severity ratings) that could be eliminated before the project reaches the production stage.
Being browser-based, Seasponge can be run on all operating systems. The main three characteristics at the base of the project are accessibility, aesthetics, and an intuitive user experience.
The combination should prove to be a worthy alternative to Microsoft’s SDL Threat Modeling Tool, which is designed for developers and is focused on software.
Web app aims to replace Microsoft's alternative
Seasponge could be regarded as a stepping stone towards reaching a better security state of a system, without having to go through documentation or user manuals.
They say that the purpose of the tool is to raise awareness about threat modeling and convince more individuals about the importance of this part of project development.
However, the ultimate goal stated by the team is to replace Microsoft’s alternative completely, although this objective is currently still pretty difficult to achieve.
On the GitHub page of the application there is a live demo that can be used to check Seasponge’s potential and the scenarios it is suitable for.