Getting to know the Microsoft Threat Modeling Tool
For most application developers, building security into application design doesn’t come naturally. Having to shim security into your application can be both cumbersome and time consuming (aka expensive). I recently discovered a great new tool from Microsoft to assist in identifying security threats. The Microsoft Threat Modeling tool assists in identifying threats during the application design phase. According to Microsoft, the Threat Modeling tool helps teams more effectively and less expensively identify security vulnerabilities, determine risks from threats, and establish appropriate mitigation.
The tool comes across as a hybrid of Microsoft Visio and Project. You can easily drag and drop components such as a web browser, web service, database, etc. onto a canvas. You can then connect these components with data flow connectors such as HTTP, IPsec, UDP, etc. Once the diagram is complete, simply switch from Design View to Analysis View. Analysis view will analyze the diagram. Based upon the template applied, the tool will indicate the basic threats that should be mitigated. The tool also provides a description of the threat, as well as a form to provide information regarding the remediation or justification for the threat remaining.
The best part is the Threat Model Report generation. The report generation component generates a full report, which includes the application diagram. Also included are the potential threats and mitigation steps.
For developers who don’t always think of security first, this tool provides an excellent way to reduce the attack vectors of your applications.