This Python framework automates threat modeling for developers, aiming to integrate security earlier in the software development lifecycle. It generates Data Flow Diagrams (DFDs), sequence diagrams, and threat reports from system architecture definitions, reducing manual effort and improving security posture.

How It Works

pytm models system components (Servers, Datastores, Actors, etc.) and their interactions (Dataflows) using a Python DSL. It then processes these definitions against a built-in or custom threats database. The condition field in threats allows for sophisticated matching against model element attributes and relationships, enabling automated threat identification and risk assessment.

Quick Start & Requirements

• Install: Not specified, but requires Python 3.x.
• Prerequisites: Linux/MacOS, Python 3.x, Graphviz, Java (OpenJDK 10 or 11), plantuml.jar.
• Usage: tm.py --dfd | dot -Tpng -o tm/dfd.png or tm.py --report docs/basic_template.md | pandoc -f markdown -t html > tm/report.html.
• Docker: export USE_DOCKER=true; make image then make.
• Docs: https://github.com/OWASP/pytm

Highlighted Details

• Generates DFDs and sequence diagrams using Graphviz and PlantUML.
• Supports custom threat databases with conditional logic for threat matching.
• Includes a stale_days argument to track model-code drift.
• Can generate presentation slides using RevealMD.

Maintenance & Community

• Project is part of OWASP.
• No specific community links (Discord/Slack) are provided in the README.

Licensing & Compatibility

• License: Apache 2.0.
• Compatible with commercial use and closed-source linking.

Limitations & Caveats

The threats.json file contains strings that are evaluated using eval(), posing a security risk if the file permissions are not managed correctly. The README mentions a pytmGPT feature for model generation from prose, but no details or links are provided.