Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool – Microsoft Threat Modeling Tool 2014. It’s available as a free download from Microsoft Download Center here.
Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.
For those who would like more of an introduction to threat modeling, please visit Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach. But, without further ado, let’s dig into the fun stuff – the new features of Threat Modeling Tool 2014.
Microsoft Threat Modeling Tool 2014 – Changes and New Features
Microsoft announced the general availability of the SDL Threat Modeling Tool v3.1.8 in 2011, which gave software development teams an approach to design their security systems following the threat modeling process. Microsoft Threat Modeling Tool 2014 introduces many improvements and new features, see the highlights below.
Figure 1. Microsoft Threat Modeling Tool 2014 Home Screen
NEW DRAWING SURFACE
One of our goals with this release is to provide a simplified workflow for building a threat model and help remove existing dependencies. You’ll find intuitive user interface with easy navigation between different modes. The new version of the tool has a new drawing surface and Microsoft Visio is no longer required to create new threat models. Using the Design View of the tool, you can create your data flow diagram using the included stencil set (see Figure 2).
Figure 2. Microsoft Threat Modeling Tool 2014 – Design View
MIGRATION FOR V3 THREAT MODELS
Threat modeling is an iterative process. Development teams create threat models which evolve over time as systems and threats change. We wanted to make sure the new tool supports this flow. Microsoft Threat Modeling Tool 2014 offers migration of threat models created with version 3.1.8, which allows an easy update to existing threat models of security system designs. (NOTE: For migrating threat models from v3.1.8 only, Microsoft Visio 2007 or later is required). Threat models created with v3 version of the tool (.tms format) can be migrated to new format (.tm4) (see Figure 3).
Figure 3. Migrating v3 Threat Models
STRIDE PER INTERACTION
One of the key changes we are introducing is the update to threat generation logic. With previous versions of the tool we have taken the approach of using STRIDE per element. Microsoft Threat Modeling Tool 2014 uses STRIDE categories and generates threats based on the interaction between elements. We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements. When in Analysis View, the tool will show the suggested threats for your data flow diagram in a simple grid (see Figure 4).
Figure 4. Microsoft Threat Modeling Tool 2014 – Analysis View
DEFINE YOUR OWN THREATS
Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls. To offer more flexibility, Microsoft Threat Modeling Tool 2014 gives users the option to add their own threats related to their specific domain. This means users can extend the base set of threat definitions by authoring the provided XML format. For details on adding your own threats, see the Threat Modeling tool SDK. With this feature, we have higher confidence that our users can get the best possible picture of their threat landscape (see Figure 5).
Figure 5. Threat Model Definitions Grammar in Backus-Naur Form (BNF)
We hope these new enhancements in Microsoft Threat Modeling Tool 2014 will provide greater flexibility and help enable you to effectively implement the SDL process in your organization.
Thank you to all who helped shipping this release through internal and external feedback. Your input was critical to improving the tool and customer experience.
For more information and additional resources, visit:
- Microsoft Security Development Lifecycle (SDL)
- Uncover Security Design Flaws Using the STRIDE Approach
- Getting Started with Threat Modeling: Elevation of Privilege (EoP) Game
- Reinvigorate your Threat Modeling Process
- Threat Models Improve Your Security Process
- Threat Modeling: Designing for Security (BOOK)
Emil Karafezov is a Program Manager on the Secure Development Tools and Policies team at Microsoft. He’s responsible for the Threat Modeling component of the Security Development Lifecycle (SDL).