![microsoft sdl threat modeling tool advantage microsoft sdl threat modeling tool advantage](https://dz2cdn4.dzone.com/storage/article-thumb/13600351-thumb.jpg)
Your approach, to give non-security experts a tool for threat modeling, is very interesting. I'll take these to do some conversion stuff and if something practical comes out of it I'll be glad to share the results with you.
![microsoft sdl threat modeling tool advantage microsoft sdl threat modeling tool advantage](https://images.techhive.com/images/article/2014/04/threat_2-100262318-large.idge.png)
Thanks a lot for your reply, I actually already read your paper but your hint to the xslt-files was very helpful. It discusses a lot of our approaches to threat modeling, and that has obvious impact on the tooling.
![microsoft sdl threat modeling tool advantage microsoft sdl threat modeling tool advantage](https://image.slidesharecdn.com/prs-160628214937/85/microsoft-threat-modeling-tool-2016-12-320.jpg)
Since we're focusing on tools to help non-experts, I don't think we'll go in this direction.įinally, since you mention you're a degree student, let me point you at the Proceedings of the Workshop on Modeling Security ( MODSEC08) held as part of the 2008 International Conference on Model Driven Engineering Languages and Systems , where I published a paper on Experiences Threat Modeling at Microsoft. My experience is that threat trees are a very expert-centric approach which stymie non-experts. Have you investigated those as an avenue for changing the reports?Ģ) I doubt threat trees are in the near future. We're not making any commitments to future versions just yet, but let me give you my feedback.ġ) Reports are (mostly) generated via XSLT. Well, now that the new one exists, maybe I don't have to write stuff like described because you guys already have something in the pipeline!? tms-file and can include it into some template (word, rtf, you name it).Īfter I saw the old threat modeling tool, I planned to write some web app to do exactly what the new threat modeling tool does. My idea is to write some xml style sheet (or something similar) that "interprets" the data of a. Now your client needs some nice document, that contains all the information of the threat model but also has some informative value, meaning more prose text than something completely generated. Imagine, you work for a security company that builds security profiles and threat models as a service. The first point (export) is very important. Now the new tool is released and it seems to fit better for what I'm looking for, so thanks alot in the first place :-)īut I really want to know if you plan to integrate some better export filters and/or the possibility to draw attack trees in a visio-way like it is done for data flow diagrams!? Until now, only the old threat modeling tool from MS existed which did not match my requirements.
#Microsoft sdl threat modeling tool advantage software#
At the moment, I'm writing my diploma thesis regarding threat modeling as an efficient method to increase the security level of software projects at security code reviews.Īfter reading "Writing Secure Code" (Michael Howard/David LeBlanc), "Threat Modeling" (Frank Swiderski/Window Snyder), some additional books about secure programming and a lot of papers and stuff about threat modeling from the Microsoft perspective as well as other approaches (like TRIKE and PTA) I came to the conclusion, that the methodology by Swiderski/Snyder in combination with the ACE-Teams tam-methodology fits best for the company I do the thesis for. My name is David Elze and I'm a student of computer science at a german university.