Threat Modeling Is Cool

I have been playing around with the 2.0 BETA2 version of the Microsoft Threat Analysis & Modeling tool and it has improved significantly since the 1.0 version.  Notable improvements include:

  • The new wizards make it far easier to create threat models for applications than was previously the case.  For a small to medium sized (20-50 page) web application you should be able to have the initial threat model put togetether in just a couple of hours.  There is a lot more detail that you can go in and specify, but after that quick time you have a good basis for further work.
  • Independent of the security benefits of using the tool, the reports that it dumps out are a pretty good start for general software development specifications.  I have started projects with way less documentation than the tool provides in its Comprehensive Report.  Tracking down the users, components and other objects in this tool gets you a good start for Envisioning and Planning a project (we’re still mostly old-school MSF at Denim Group, although we just started our first MSF Agile project a couple of weeks ago).
  • It automatically creates basic data flow diagrams and allows you to dump them out to image files or Visio.  This is great if you don’t want to use the built-in reporting but still want to include these assets in another document.

I’m wondering what Microsoft’s future plans are for this tool because a lot of the information that goes in here is not only needed for Threat Modeling purposes but is actually information that you need to gather for the software development process in general.  Will we be seeing Team System plugins using this application to include Security Development Lifecycle (SDL) concerns with the comprehensive lifecycle management that Team System already provides?  Time will tell, but for now the Threat Analysis & Modeling is a fantastic resource.

dan _at_

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *