This tool is in pre-alpha. There is no guarantee that the architecture of the Epic Threat Model is not itself vulnerable. There is also no guarantee that it will find all of the threats in the Threat Modelled environment. The only guarantee is that the tool (along with Fred the ghost) will do its very best to help wherever it can.
The Epic Threat Model is designed for Developers and Security Engineers to quickly identify security flaws in their cloud application implementation plans. It is designed to be quick to use so that the Threat Modeller can keep up with an Agile process releasing many times every day. It achieves a faster speed by doing away with data-flow-diagrams as well as some other aspects of Threat Modelling to keep the platform simple. It makes it possible to work to a many releases per day cycle by working at the Epic level.
The Epic Threat Model is in alpha testing as it is still in the very early stages of development. Please report any bugs, vulnerabilities or security flaws here on Github.
New features to a product will often be driven by business needs and it is best practice for these to be decided by business personnel such as Product Managers. These new features then come through to developers via what is known as an Epic. Epics are usually a high level view of a feature and what it aims to achieve. In conjunction with business folk, the developers will then break an Epic down into smaller components of work called stories. Once a developer understands the project at both the high level of an Epic and the lower more granular level of its stories, they will understand what technologies they will use to meet all of the business needs. The Epic Threat Model starts Threat Modelling at this point, just before the development of features associated with an Epic commences, but after the stories have been defined. This follows the Kanban principle of performing the relevant tasks “Just in Time”.
Anyone can sign up to get started with the Epic Threat Model right away at https://simple-threat-model.web.app/.
Hopefully the Epic Threat Model should be so simple that anybody can use it, but it is understandable that some might be weary about signing up to yet another platform. You can rest assured, the intention of the sign up isn't to capture data for marketing purposes, it just in place as a method of differentiating user data (i.e. Bob is shown Bob's Threat Model, Alice is shown Alice's Threat Model). The tool is created to use on Firebase, if you would like to spin up your own version of the tool, then you should have everything you need to do so, I will release instructions on how exactly you can do that soon.