Introducing Microsoft Threat Modeling Tool 2014

Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool – Microsoft Threat Modeling Tool 2014. It’s available as a free download from Microsoft Download Center here.

Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.

For those who would like more of an introduction to threat modeling, please visit Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach. But, without further ado, let’s dig into the fun stuff – the new features of Threat Modeling Tool 2014.

Microsoft Threat Modeling Tool 2014 – Changes and New Features

Microsoft announced the general availability of the SDL Threat Modeling Tool v3.1.8 in 2011, which gave software development teams an approach to design their security systems following the threat modeling process. Microsoft Threat Modeling Tool 2014 introduces many improvements and new features, see the highlights below.

 Figure 1. Microsoft Threat Modeling Tool 2014 Home Screen

 

NEW DRAWING SURFACE
One of our goals with this release is to provide a simplified workflow for building a threat model and help remove existing dependencies. You’ll find intuitive user interface with easy navigation between different modes. The new version of the tool has a new drawing surface and Microsoft Visio is no longer required to create new threat models. Using the Design View of the tool, you can create your data flow diagram using the included stencil set (see Figure 2).

Figure 2. Microsoft Threat Modeling Tool 2014 – Design View

 

MIGRATION FOR V3 THREAT MODELS
Threat modeling is an iterative process. Development teams create threat models which evolve over time as systems and threats change. We wanted to make sure the new tool supports this flow. Microsoft Threat Modeling Tool 2014 offers migration of threat models created with version 3.1.8, which allows an easy update to existing threat models of security system designs. (NOTE: For migrating threat models from v3.1.8 only, Microsoft Visio 2007 or later is required). Threat models created with v3 version of the tool (.tms format) can be migrated to new format (.tm4) (see Figure 3).

Figure 3. Migrating v3 Threat Models


 

STRIDE PER INTERACTION
One of the key changes we are introducing is the update to threat generation logic. With previous versions of the tool we have taken the approach of using STRIDE per element. Microsoft Threat Modeling Tool 2014 uses STRIDE categories and generates threats based on the interaction between elements.  We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements. When in Analysis View, the tool will show the suggested threats for your data flow diagram in a simple grid (see Figure 4).

Figure 4. Microsoft Threat Modeling Tool 2014 – Analysis View


DEFINE YOUR OWN THREATS

Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls. To offer more flexibility, Microsoft Threat Modeling Tool 2014 gives users the option to add their own threats related to their specific domain. This means users can extend the base set of threat definitions by authoring the provided XML format. For details on adding your own threats, see the Threat Modeling tool SDK. With this feature, we have higher confidence that our users can get the best possible picture of their threat landscape (see Figure 5).

Figure 5. Threat Model Definitions Grammar in Backus-Naur Form (BNF)

We hope these new enhancements in Microsoft Threat Modeling Tool 2014 will provide greater flexibility and help enable you to effectively implement the SDL process in your organization.

Thank you to all who helped shipping this release through internal and external feedback. Your input was critical to improving the tool and customer experience.

For more information and additional resources, visit:

 

Emil Karafezov is a Program Manager on the Secure Development Tools and Policies team at Microsoft. He’s responsible for the Threat Modeling component of the Security Development Lifecycle (SDL).

About the Author
SDL Team

Trustworthy Computing, Microsoft

Join the conversation

18 comments
  1. Anonymous

    Is it me, or is layering models no longer an option?

  2. Anonymous

    The Getting Started Guide mentions a User Guide.  Can you provide a link to it?

  3. sdl

    Hi Mike – The SDK which includes the User Guide can be found here:  http://aka.ms/By12as

  4. Anonymous

    I have just installed the Modelling Tool 2014. Unfortunately, TMT4.exe did not start (just nothing happened). On my machine the modelling tool 3.1.8 is installed and it works fine.

    Could you please advice? Thanks

  5. Anonymous

    I'm not sure how to get this tool to product anything of value. I prefer the version 1/2 tools and here's why. The goal of threat modeling is to discovery design vulnerabilities (see. Art of Software Security Assessment for definition) not easily discovery using other approaches. Using an asset-centric approach this can be as simple as a CRUD matrix of users to protected asset permissions (a.l.a. Trike framework). Generic threats for web services, such as what is generated by this tool, provides little value to know value. These threats correspond to potential implement vulnerabilities (e.g. XSS / SQL Injection) which are better discovered using Static Analysis or a web penetration style test.

  6. Anonymous

    Very nice tool. Started using it today as I'm learning threat modeling and it's very helpful.

  7. Anonymous

    I am using Win8.1 and VS 2013 Ultimate. I download and run install of

    MSThreatModelingTool2014.msi as admin and standard user.

    Nothing happens, no log

    I am on an Alienware Laptop

  8. Anonymous

    v3.1.8 Model has a Describe Environment capability. I did not see the same capability in Microsoft Threat Modeling Tool 2014.

  9. Anonymous

    This new version seems promising and addresses many issues I had with the old tool, however there is a nasty bug that causes frequent crashes for me (crashed 4 times today). Where can I send the crash log?

  10. Anonymous

    Thanks SDL Team. The sample exercise and demo are really usefull

  11. Anonymous

    Thanks team for another release and improvement of this great tool!  Where can I find the SDK to add threats and extend the modeling capabilities?

    Thanks

  12. Anonymous

    Are the threats by chance referenced to a CVE or STIG?

  13. Anonymous

    Can this tool also be used for Oracle? and Other applications?

  14. steve.rothkin@honeywell.com

    Removing items from the diagram or changing attributes of existing elements doesn't remove the threats that were obsoleted by the change. I'd like to see a fix tor this.

  15. Anonymous

    I agree with the above comment. Please fix! Thanks!

  16. Anonymous

    Hi!  Thank you for releasing this tool to the industry!  It is a significant improvement above the previous version.  That said, there are some bugs and enhancements that would be significant improvements.  I've listed what I've run into so far.  Do you know when the next release is planned?

    BUG

    Diagram order not preserved.

    STEPS TO REPRODUCE

    Create two diagrams, then drag the second diagram so it’s before the first.  Close and reopen the TM.  Diagrams are unsorted again.  Order of manual sort needs to be maintained – it’s not always possible to predict what diagrams will be needed and what order will make the most sense, so it is important to allow users to sort the diagrams to make them make sense.

    WORKAROUND

    I have found no workaround.

    BUG

    No way to report only diagrams

    DESCRIPTION

    Create a threat model with 6 diagrams.  Try to run a report hat includes only the diagrams you cared – and all the diagrams you created.  No report option exists.  Deselecting all threats won't generate a report.  Selecting all threats only shows diagram components related to threats, but not all diagrams.  

    WORKAROUND

    I have found no workaround

    ENHANCEMENT

    Export to Visio

    DESCRIPTION

    There is no way to export a diagram (or series of diagrams) to Visio for individuals who don't have the TM tool, or for individuals who find the TM tool is unusable for their needs.  The prior version of the tool let you copy & paste into visio, preserving all nodes and flows, even though you would lose annotations.  This version doesn't even provide that.  If a user spends a lot of time using this tool and discovers a critical flaw that makes it unusable after all, they have to abandon the hours/days/weeks spent in the tool and recreate the threat model diagrams from scratch.

    WORKAROUND

    Take screenshots, then recreate the diagram from scratch.

    ENHANCEMENT

    Import from Visio

    DESCRIPTION

    There is no way to import a threat model from Visio.  In my former job, when had dozens of DFDs created specifically for threat modeling, many done in Visio.  If the TM tool were to allow import from visio, it would be easier to migrate to using this tool – assuming it is the right tool for the job.  Because there is no import, each team with a threat model will have to manually reproduce all diagrams.  This can be hours of effort for minimal gain, and can make it it substantially harder to import into the new version of the tool

    WORKAROUND

    Untested.  Copy/Paste from Visio inot the older version of the TM tool, then reproduce lost annotations (like names of nodes).  Save and close.  Import into the new version of the tool.  Assumes import works.

  17. Anonymous

    Another bug to report:

    BUG

    Cannot scroll using arrow keys

    REPRODUCTION

    Create a DFD that spans more than the visible area on the page.  Zoom in as necessary.  Click on the background, where no processes, data stores, flows, etc. are drawn.  Nothing should be highlighted.  Click arrow keys in any direction.    Expected result: should scroll the direction of the arrow key.  Actual result: doesn't scroll.  

    Next, click scrollbar and make it scroll.  Result: scrolls.

    Next, try to use arrow keys to scroll, again.  Result: doesn't scroll.

  18. Anonymous

    Besides not being able to export to Visio, I also don't see a 'Print' option. Was hoping to print to an image that could be used on our Confluence page where we have all of our documentation. Is there a workaround for this?

Comments are closed.