Review: Microsoft's Threat Modeling Tool

In my previous Blog, I went over the importance of doing Threat Modeling prior to putting together your Architecture in order to understand the threats and risks that you need to deal with. But this is primarily a manual process. One of the tools that I’ve run across is Microsoft’s Threat Modeling tool, which can assist in the development of your Threat Model. Plus it has the added benefit of being free. That said, remember that you get what you pay for.

For those of you that would like to check out the Microsoft Threat Analysis and Modeling tool v2.0, you can obtain it at http://www.microsoft.com/downloads/details.aspx?familyid=570dccd9-596a-44bc-bed7-1f6f0ad79e3d&displaylang=en .

Typically, the way the Tool works is that there are 4 areas that you interact with in the tool as well as the Attack Library. Those 4 areas are:

• Business Objectives
• Application Decomposition
• Application Use Cases
• Threats

The way that the Tutorial recommends you use the tool is that you start off by filling in the Business Objectives of the Application, then detail the individual components that will go into the Application (the Application Decomposition), develop the Application Use Cases by combining the different components based on the Business Objectives, and then generate the Threats to the Use Cases. The results of the Threat generation provide the information that you need in order to create an architecture that takes into consideration your Risks.

The generation of the Threats then requires you to indicate how you are going to handle the threat, whether it’s from avoiding the risk or accepting the risk, you are required to state how you would handle the risk. You are also able to provide a quantitative measurement of the risk based on a combination of the Impact (low, medium, high) and Probability (low, medium, high). Then you decide what type of Counter Measures you want to put into place for the Risk based on the countermeasures listed in the Attack Library. Also coming out of the Threat Modeling is a visual representation of the Attack using Visio diagrams.

The Tool is also able to then generate reports based on the type of user that needs to have the report. A report can be generated for the Risk Owner, for the Architect, for the Developer, for Test, and for the Operations team. You can also generate a Comprehensive Report that includes all views.

There is an ability to customize the tool in terms of the Reports that are generated and in terms of the Attack Library that you want to have associated with the tool. The creation of your own Attack Library makes sense in that you may have specific types of Attacks that you need to focus on plus you may have different countermeasures that you would want for specific attacks. Because the tool is based on XML, it’s just a matter of creating your own Attack Library and importing it into the tool.

So that’s a brief description of the tool. Now for my opinion of it.

I want to state right off the bat that I like the potential that the tool has for standardizing something that has typically been an Ad Hoc activity in an organization. You're able to raise your security posture standard simply by having a standardized tool in your processes. Plus, I haven’t seen any other tools out there that you could use. So, overall, I would recommend using it.

That said, there are a lot of things to keep in mind with this tool:

• Once you have generated the Business Cases, move to the Use Cases to drive the Decomposition. I found that using the process recommended in the Tutorial isn’t as smooth as if you were to use the Use Cases to generate the Decomposition.
• There isn’t a capability right now to use Cut & Paste with the tool. As a result, wouldn’t be able to take from one Threat Model and load into a second which would assist in cutting down the time for the creation of each successive Threat Model.
• If you are using the Use Case Wizard, you can’t re-enter it once you leave it. As a result, you have to leave the tool running until you’ve completed the Use Cases otherwise you have to start all over again.
• a Security Professional, I would like to be able to map to the Corporate Security Standards of my company. I’m not able to do that with this tool aside from creating something in the Relevancies section of the Attack Library.
• It would be very useful to be able to import existing Visio diagrams of the logical model of the Application in order for the Tool to generate the decomposition for you rather than you having to create the Decomposition.
• The Reports are very difficult to understand. Plus, the format that the Reports need to be in is difficult to find in the Threat Modeling web site on MSDN.
• The tool presently doesn’t integrate into any Governance tool, so you can’t link the outputs of the Tool with anything else for tracking of the Risk mitigations through the Software Engineering process.
• Tutorial is limited in it’s effectiveness.

If you do the Threat Modeling properly, expect to spend between 16 – 40 hours generating the Threat Model, depending on how detailed you get. The more you use the tool, the quicker you understand the intricacies and the quicker you can get the Threat Model done.

This is a free tool and you get what you pay for. Overall, I would recommend it for your Software Engineering process – depending on what your original Business Requirements are (remember that Blog?) which drives the entire SDL. Every little bit helps and this helps a lot.

Regards,

Neil R.

Posted at 11:39 AM  Permalink