Microsoft’s Free Security Tools – Threat Modeling

This article in our series focused on Microsoft’s free security tools is on the Security Development Lifecycle (SDL) Threat Modeling Tool.

Threat modeling is a core element of the Microsoft Security Development Lifecycle (SDL). It’s an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.

Microsoft Threat Modeling Tool
The Microsoft Threat Modeling Tool makes threat modeling easier for all developers through a standard notation for visualizing system components, data flows, and security boundaries. It also helps threat modelers identify classes of threats they should consider based on the structure of their software design. We designed the tool with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models

There are five major threat modeling steps:

•  Defining security requirements. 
•  Creating an application diagram. 
•  Identifying threats. 
•  Mitigating threats. 
•  Validating that threats have been mitigated. 

Threat modeling should be part of your routine development lifecycle, enabling you to progressively refine your threat model and further reduce risk.

Threat modeling is not a one-time process, it should be iterative starting early in the application development and continuing throughout its lifecycle. This is because it is difficult to identify all potential threats in a single pass, and applications change over time to accommodate evolving business requirements, requiring the threat modeling process to be repeated. Whether you use the SDL or not, this tool is still useful for understanding threats to a networked system.

Some of the tool's key capabilities and innovations include:

• Automation: Guides users in drawing a model and provides feedback.
• STRIDE Analysis: A guided analysis of threats and mitigations.
• Reporting: Facilitates the reporting of security activities and testing during the verification phase.
• Unique Methodology: Allows users to visualize and understand threats better.
• Designed for Developers: Focuses on software and builds on activities that software developers and architects are familiar with, such as creating software architecture diagrams.
• Design Analysis: The Microsoft SDL approach to threat modeling is a design analysis technique that focuses on identifying security issues during the design phase.

Overall, the SDL Threat Modeling Tool provides a focused and streamlined approach to threat modeling that is designed to be used by software developers and architects.

To quickly summarize, the approach involves creating a diagram, identifying threats, mitigating them and validating each mitigation. Here’s a diagram that highlights this process:

Demo
First: Download the Threat Modeling Tool

Starting the threat modeling process
1- Run the tool
2- Click on Create a Model

3- Start Building a model
Note: you can end users/developers or web access/request

4- Click on Data flow icon

5- Analyzing threats

Once he clicks on the analysis view from the icon menu selection (file with magnifying glass), he is taken to a list of generated threats the Threat Modeling Tool found based on the default template, which uses the SDL approach called STRIDE (Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege). The idea is that software comes under a predictable set of threats, which can be found using these 6 categories

This article explains the reason for not discussing assets in the threat modeling process. It is noted that many software engineers have a better understanding of their software than of the concept of assets and what assets an attacker may target.
Similar to threat modeling a house, you can start by thinking about your family, precious possessions, or valuable artwork. Alternatively, you can focus on potential intruders and the security system, or physical features such as the pool or front porch. These are equivalent to considering assets, attackers, or software design in threat modeling. Any of these approaches can be effective.
The software design approach to threat modeling presented in this article is simpler compared to previous methods by Microsoft. This approach has been found to work well for many teams and it is hoped that it will be useful for yours as well.