John Bristowe, Developer Evangelist for Microsoft, heard about this and invited me on to a podcast where we talk about the tool.
Well, I am proud to annouce that Adam and his team listened to our feedback, and released a beta of the tool this week for FREE to the community. At the time it was heavily coded to use internal Microsoft resources and pathings, and just wasn’t in a position to be released outside the corporate LAN. You can see the difference in the two processes with this image:ĭuring MVP summit, Alun, Jesper and I sat in on a developer security session where I pressured hard on Adam Shostack, the owner of the tool within Microsoft, to release this tool to the community. While the TAM tool is a great application threat modeling tool, it doesn’t align well with the use of STRIDE, as part of SDL. If you are a regular reader of this blog, you know earlier this year I challenged Microsoft to cross-breed The Microsoft TAM tool with Microsoft’s internal threat modeling tool that they use for their own commercial software. If you care to build secure code (which I would assume since you read my blog) threat modeling may be a very important part of your development lifecycle.
SDL Threat Modeling Tool 3.1 beta is available for download here.If you design and/or write code, building trustworthy software may or may not be a driver in your team. “Innovative features in the Microsoft SDL Threat Modeling Tool 3.0 include these: automation - guidance and feedback in drawing threat diagrams STRIDE Framework - guided analysis of threats and mitigations integration - bug-and issue-tracking systems reporting capabilities - security activities and testing in the verification phase,” Microsoft explained.Īccording to the Redmond company, the SDL Threat Modeling Tool, a core element of the Security Development Lifecycle, is set up to perform analysis on the designs and software architecture ahead of the implementation phase. Microsoft's strategy with sharing its security best practices, model and tools with third-party software developers is meant to counter the generalized trend of the threat landscape to focus on the software designed to run on top of the Windows operating system, as opposed to the actual platform, in terms of attacks. SDL Threat Modeling Tool 3.1 went live on the Microsoft Download Center on November 6, 2008, carrying the Beta label.
The tool has been used extensively within Microsoft,” revealed Steve Lipner, senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group back in September. “This tool allows for structured analysis, tracking and mitigation of potential security and privacy issues, based on a methodology that any software architect can lead effectively.
As an integral part of the initiative, Microsoft pointed developers to the SDL Pro Network, the SDL Optimization Model and the Microsoft SDL Threat Modeling Tool 3.0 as resources necessary to increase the security of their software products. In September 2008, Microsoft announced that it planned to share not only its secure development practices but also the tools it was deploying in order to increase the level of protection for customers with developers industry wide. Microsoft has made the internal security tool that helped bulletproof the Windows operating system available as a free download.