Microsoft has updated its free Threat Modeling tool with new features designed to offer organizations more flexibility and help them implement a secure development lifecycle.
“More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,” blogged Tim Rains, director of Microsoft Trustworthy Computing. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.”
The latest version of the tool includes the following new features:
New Drawing SurfacePrevious versions of the Threat Modeling Tool required Microsoft Visio to build the data flow diagrams, this new release has its own drawing surface and Visio is no longer needed.
STRIDE per InteractionBig improvement for this release is change in approach of how we generate threats. Microsoft Threat Modeling Tool 2014 uses STRIDE per interaction for threat generation, were past versions of the tool usedSTRIDE per element.
Migration for v3 ModelsUpdating your older threat models is easier than ever. You can migrate threat models built with Threat Modeling Tool v3.1.8 to the format in Microsoft Threat Modeling Tool 2014
Update Threat DefinitionsWe over further flexibility to our users to customize the tool according to their specific domain. Users can now extend the included threat definitions with ones of their own.
“Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories,” blogged Emil Karafezov, program manager on the Secure Development Tools and Policies team at Microsoft. “This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls.”
“We hope these new enhancements inMicrosoft Threat Modeling Tool 2014will provide greater flexibility and help enable you to effectively implement the SDL process in your organization,” he added.
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Microsoft Updates Threat Modeling Tool Oracle Releases Massive Security UpdateSQL Injection Breaches Take Months to Uncover and Fix: SurveySurvey Highlights Communications Gap Between Security Pros and Senior ExecsGoogle Patches Android Icon Hijacking Vulnerability
Tags: NEWS INDUSTRY