Just
downloaded the new version of Microsoft Threat Analysis & Modeling tool to have
a quick play with it. Seems like a fairly slick program and walks you through building
a comprehensive threat model of an application. Here’s the blurb:
Microsoft Threat Analysis & Modeling tool allows non-security
subject matter experts to enter already known information including business requirements
and application architecture which is then used to produce a feature-rich threat model.
Along with automatically identifying threats, the tool can produce valuable security
artifacts such as:
– Data access control matrix
– Component access control matrix
– Subject-object matrix
– Data Flow
– Call Flow
– Trust Flow
– Attack Surface
– Focused reports
I managed to build a sample threat tree within a few
minutes, but it’s quite a job to map all the threats against a particular application
(especially an n-tiered one)
Check it out: Download
details: Threat Analysis & Modeling v2.0