Threat Modeling

To protect your applications from hackers, you have to understand the threats to your applications. Threat modeling is composed of three high-level steps: understanding the adversary’s view, characterizing the security of the system, and determining threats. The resources on this page will help you understand the threat modeling process and build threat models that you can use to secure your own applications.

---

Evolution of Threat Modeling

Application Threat Modeling Built on the fundamental assertion that your most critical threats are to your business objectives and not the underlying technology used to fulfill them, the Microsoft Application Consulting & Engineering (ACE) team has, over the past few years, evolved and optimized a process of threat modeling to help empower businesses to do effective application risk management during the software development lifecycle and beyond. This process is supported by an enhanced tool and supporting material to address the problem of application security from the perspective of a non-security professional.

Articles and Information

Resource File: Threat Model Your Security Risks How do you make sure your application is as secure as it needs to be? Well, you should begin with threat modeling, an iterative approach to assessing the vulnerabilities in your application to find those that are the most dangerous because they expose the most sensitive data. From there, you create a prioritized set of countermeasures to manage your risk.

Threat Modeling Web Applications Patterns & Practices introduces a new approach to threat modeling for your Web applications. Threat modeling helps you model your security design so that you can expose potential security design flaws and vulnerabilities before you invest significant time or resources. This approach is integrated into MSF Agile in Visual Studio 2005 and builds on, simplifies, and refines the original six-step threat modeling process from Improving Web Application Security..

MSDN Webcast: Writing Secure Code – Threat Defense In this session for experienced developers, you will build upon existing knowledge of secure coding best practices to learn about analyzing, mitigating and modeling threats. The session will discuss established threat modeling methodologies and tools and show how they can be applied with other best practices to minimize vulnerabilities and limit damage from attacks.

Frank Swiderski - Threat Modeling Tool Revealed Microsoft Security Engineer Frank Swiderski talks to Channel 9 about threat modeling. Frank wrote the Threat Modeling Tool available on this page.

Books

Book: Threat Modeling Threat modeling has become one of the top security analysis methodologies that Microsoft’s developers use to identify risks and make better design, coding, and testing decisions. This book provides a clear, concise explanation of the threat-modeling process, describing a structured approach you can use to assess the security vulnerabilities for any application, regardless of platform.

Downloads

Microsoft Threat Analysis & Modeling v2.1 To facilitate the creation and assimilation of threat models, the Microsoft ACE Team created the Microsoft Threat Analysis & Modeling tool. Now nonsecurity subject matter experts can enter already-known data, including business requirements and application architecture, which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as access control matrices and data flow diagrams.

Threat Modeling Tool The Threat Modeling Tool allows users to create threat model documents for applications. It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.