Amid almost no fanfare whatsoever, Microsoft yesterday released a tool I’ve been begging them for over the last five or six years.
[This is not unusual for me to be so persistently demanding, as I’ve found it’s often the only way to get what I want.]
As you’ve guessed from the title, this tool is the “SDL Threat Modeling Tool 2014”. Sexy name, indeed.
Don’t they already have one of those?
Well, yeah, kind of. There’s the TAM Threat Analysis & Modeling Tool, which is looking quite creaky with age now, and which I never found to be particularly usable (though some people have had success with it, so I’m not completely dismissive of it). Then there’s the previous versions of the SDL Threat Modeling Tool.
These have had their uses – and certainly it’s noticeable that when I work with a team of developers, one of whom has worked at Microsoft, it’s encouraging to ask “show me your threat model” and have them turn around with something useful to dissect.
So what’s wrong with the current crop of TM tools?
In a word, Cost.
Threat modeling tools from other than Microsoft are pretty pricey. If you’re a government or military contractor, they’re probably great and wonderful. Otherwise, you’ll probably draw your DFDs in PowerPoint (yes, that’s one of the easier DFD tools available to most of you!), and write your threat models in Word.
Unless, of course, you download and use the Microsoft SDL Threat Modeling Tool, which has always been free.
So where’s the cost?
The SDL TM tool itself was free, but it had a rather significant dependency.
Visio is not cheap.
As a result, those of us who championed threat modeling at all in our enterprises found it remarkably difficult to get approval to use a free tool that depended on an expensive tool that nobody was going to use.
What’s changed today?
With the release of Microsoft SDL Threat Modeling Tool 2014, Microsoft has finally delivered a tool that allows for the creation of moderately complex DFDs (you don’t want more complex DFDs than that, anyway!), and a threat library-based analysis of those DFDs, without making it depend on anything more expensive or niche than Windows and .NET. [So, essentially, just Windows.]
Yes, that means no Visio required.
Is there anything else good about this new tool?
A quick bullet list of some of the features you’ll like, besides the lack of Visio requirement:
- Imports from the previous SDL Threat Modeling Tool (version 3), so you don’t have to re-work
- Multiple diagrams per model, for different levels of DFD
- Analysis is per-interaction, rather than per-object [scary, but functionally equivalent to per-object]
- The file format is XML, and is reasonably resilient to modification
- Objects and data flows can represent multiple types, defined in an XML KnowledgeBase
- These types can have customised data elements, also defined in XML
- The rules about what threats to generate are also defined in XML
- [These together mean an enterprise can create a library of threats for their commonly-used components]
- Trust boundaries can be lines, or boxes (demonstrating that trust boundaries surround regions of objects)
- Currently supported by a development team who are responsive to feature requests
Call to Action?
Yes, every good blog post has to have one of these, doesn’t it? What am I asking you to do with this information?
Download the tool. Try it out on a relatively simple project, and see how easy it is to generate a few threats.
Once you’re familiar with the tool, visit the KnowledgeBase directory in the tool’s installation folder, and read the XML files that were used to create your threats.
Add an object type.
Add a data flow type.
Add custom properties that describe your custom types.
Use those custom properties in a rule you create to generate one of the common threats in your environment.
Work with others in your security and development teams to generate a good threat library, and embody it in XML rules that you can distribute to other users of the threat modeling tool in your enterprise.
Document and mitigate threats. Measure how successful you are, at predicting threats, at reducing risk, and at impacting security earlier in your development cycle.
Then do a better job on each project.