FINSEC has re-implemented it from scratch (2) as the old CORAS tool has not been maintained. The new tool is an extension to Eclipse Capella, an open-source solution for model-based systems engineering. Thus, the threat models created with CapCoras can directly build on and refer to a model of the system as a whole – defined either in advance or (ideally) in parallel with the threat models. It is also easier to integrate a new tool such as CapCoras into the FINSEC platform.

A good system description is essential when doing risk analysis. The CORAS method does not mandate a specific form, but suggests a combination of UML diagrams. With CapCoras we can do better, and model the threat scenarios in an extension to a model of the system itself in Capella. This makes it easier to keep the risk analysis up-to-date – a non-trivial task in the current cybersecurity landscape.

(1)http://coras.sourceforge.net/
(2)We have reused some of the icons.