Microsoft has released a public version of the latest update to
an internal
threat
modelling tool used by its software engineers to develop secure
code.
The tool was developed to support Microsoft's internal
Security Development Lifecycle (SDL) initiative, but is now
available as a
free public download for Visio 2007.
The SDL, which has been mandatory microsoft-wide policy since
2004, introduces security and privacy practices early in the
development process.
SDL is a risk-based software development methodology which aims
to protect end-users by reducing the number and severity of
vulnerabilities in code.
Adam Shostack, Microsoft's SDL senior program manager said the
Threat Modeling Tool is a core element of the SDL developed with
feedback from Microsoft's software engineers.
"We decided to release this tool because we realised it was not
specific to our processes, but could also help outside software
developers," he said.
The tool enables software architects to communicate about the
security design of their systems, analyse those designs for
potential security issues, and suggest mitigations for security
issues.
"This acts as a very nice first tool to help software
development teams get started in following SDL," said Shostack.