Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that’s at the core of Trustworthy Computing.
Today, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring the practice closer to not only large enterprises, but also smaller companies with a growing target on their back.
Four new features have been added to the tool, including enhancements to its visualization capabilities, customization features older models and threat definitions, as well as a change to it generates threats.
“More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,” said Tim Rains, a Trustworthy Computing manager. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.”
The first iteration of Microsoft Threat Modeling Tool was issued in 2011, but Rains said customer feedback and suggestions for improvements since then have been rolled into this update. The improvements include a new drawing surface that no longer requires Microsoft Visio to build data flow diagrams. The update also includes the ability migrate older, existing threat models built with version 3.1.8 to the new format. Users can also upload existing custom-built threat definitions into the tool, which also comes with its own definitions.
The biggest change in the new version is in its threat-generation logic. Where previous versions followed the STRIDE framework (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) per element, this one follows STRIDE per interaction of those elements. STRIDE helps users map threats to the properties guarding against them, for example, spoofing maps to authentication.
“We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements,” Rains said.
At the RSA Conference in February, Trustworthy Computing program manager Adam Shostack said that there is no one defined way to model threats; that they must be specific to organizations and their particular risks.
“I now think of threat modeling like Legos. There are things you can snap together and use what you need,” Shostack said. “There’s no one way to threat model. The right way is the way that fixes good threats.”