The Threat Modeling Tool now inherits the TLS settings of the host operating system and is supported in environments that require TLS 1.2 or later. The tool is available to download as a ClickOnce application. Documentation and full release notes are available in Azure Docs. The Threat Modeling Tool allows users to specify trust boundaries, indicated by the red dotted lines, to show where different entities are in control. For example, IT administrators require an Active Directory system for authentication purposes, so the Active Directory is outside of their control. Cristina: Looks right to me.
Microsoft Threat Modeling Tool For Mac Pro
| title | description | author | ms.author | ms.service | ms.subservice | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|
Overview of the Microsoft Threat Modeling Tool, containing information on getting started with the tool, including the Threat Modeling process. | jegeib | security-develop | 02/16/2017 |
The Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, we designed the tool with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models.
The tool enables anyone to:
- Communicate about the security design of their systems
- Analyze those designs for potential security issues using a proven methodology
- Suggest and manage mitigations for security issues
Here are some tooling capabilities and innovations, just to name a few:
- Automation: Guidance and feedback in drawing a model
- STRIDE per Element: Guided analysis of threats and mitigations
- Reporting: Security activities and testing in the verification phase
- Unique Methodology: Enables users to better visualize and understand threats
- Designed for Developers and Centered on Software: many approaches are centered on assets or attackers. We are centered on software. We build on activities that all software developers and architects are familiar with -- such as drawing pictures for their software architecture
- Focused on Design Analysis: The term 'threat modeling' can refer to either a requirements or a design analysis technique. Sometimes, it refers to a complex blend of the two. The Microsoft SDL approach to threat modeling is a focused design analysis technique
Next steps
Microsoft Threat Modeling Tool Stencils
The table below contains important links to get you started with the Threat Modeling Tool:See also: System requirements
| Step | Description |
|---|---|
| 1 | Download the Threat Modeling Tool |
| 2 | Read Our getting started guide |
| 3 | Get familiar with the features |
| 4 | Learn about generated threat categories |
| 5 | Find mitigations to generated threats |
Resources
Here are a few older articles still relevant to threat modeling today:
Check out what a few Threat Modeling Tool experts have done:
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
Threat modeling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, thingsin the Internet of things, business processes, etc. There are very few technical products which cannot be threat modeled; more or lessrewarding, depending on how much it communicates, or interacts, with the world. Threat modeling can be done at any stage of development,preferably early - so that the findings can inform the design.
What
Most of the time, a threat model includes:
- A description / design / model of what you’re worried about
- A list of assumptions that can be checked or challenged in the future as the threat landscape changes
- A list of potential threats to the system
- A list of actions to be taken for each threat
- A way of validating the model and threats, and verification of success of actions taken
Our motto is: Threat modeling: the sooner the better, but never too late.
Why
The inclusion of threat modeling in the SDLC can help
- Build a secure design
- Efficient investment of resources; appropriately prioritize security, development, and other tasks
- Bring Security and Development together to collaborate on a shared understanding, informing development of the system
- Identify threats and compliance requirements, and evaluate their risk
- Define and build required controls.
- Balance risks, controls, and usability
- Identify where building a control is unnecessary, based on acceptable risk
- Document threats and mitigation
- Ensure business requirements (or goals) are adequately protected in the face of a malicious actor, accidents, or other causes of impact
- Identification of security test cases / security test scenarios to test the security requirements
4 Questions
Most threat model methodologies answer one or more of the following questions in the technical steps which they follow:
What are we building?
As a starting point you need to define the scope of the Threat Model. To do that you need to understand the application you are building,examples of helpful techniques are:
- Architecture diagrams
- Dataflow transitions
- Data classifications
- You will also need to gather people from different roles with sufficient technical and risk awareness to agree on the framework to be used during the Threat modeling exercise.
What can go wrong?
This is a “research” activity in which you want to find the main threats that apply to your application. There are many ways to approach thequestion, including brainstorming or using a structure to help think it through. Structures that can help include STRIDE, Kill Chains, CAPEC and others.
What are we going to do about that?
In this phase you turn your findings into specific actions. See Threat_Modeling_Outputs
Did we do a good enough job?
Finally, carry out a retrospective activity over the work you have done to check quality, feasibility, progress, and/or planning.
Process
The technical steps in threat modeling involve answering questions:
- What are we working on - What can go wrong - What will we do with the findings
- Did we do a good job? The work to answer these questions is embedded in some sort of process, ranging from incredibly informal Kanban with Post-its on the wall to strictly structured waterfalls.
The effort, work, and timeframes spent on threat modeling relate to the process in which engineering is happening and products/services aredelivered. The idea that threat modeling is waterfall or ‘heavyweight’ is based on threat modeling approaches from the early 2000s. Modernthreat modeling building blocks fit well into agile and are in wide use.
When to Threat Model
When the system changes, you need to consider the security impact of those changes. Sometimes those impacts are not obvious.
Threat modeling integrates into Agile by asking “what are we working on, now, in this sprint/spike/feature?”; trying to answer this can be an important aspect of managing security debt, but trying to address it per-sprint is overwhelming. When the answer is that the system’sarchitecture isn’t changing, no new processes or dataflows are being introduced, and there are no changes to the data structures beingtransmitted, then it is unlikely that the answers to ‘what can go wrong’ will change. When one or more of those changes, then it’s useful toexamine what can go wrong as part of the current work package, and to understand designs trade-offs you can make, and to understand whatyou’re going to address in this sprint and in the next one. The question of did we do a good job is split: the “did we address thesethreats” is part of sprint delivery or merging, while the broader question is an occasional saw-sharpening task.
After a security incident, going back and checking the threat models can be an important process.
Threat Modeling: Engagement Versus Review
Threat modeling at a whiteboard can be a fluid exchange of ideas between diverse participants. Using the whiteboard to construct a modelthat participants can rapidly change based on identified threats is a high-return activity. The models created there (or elsewhere) can bemeticulously transferred to a high-quality archival representation designed for review and presentation. Those models are useful fordocumenting what’s been decided and sharing those decisions widely within an organization. These two activities are both threat modeling,yet quite different.
Validating Assumptions
Learning More
Agile Approaches
- Main agile threat modeling page
- Specific agile approach1 TM page
- Specific agile approach2 TM page
Waterfall Approaches
- Main waterfall TM page