Microsoft’s SDL Threat Modeling Tool uses the company's well-regarded Visio flowcharting and diagramming software to help model potential application threats prior to the development phase. That doesn't guarantee that coding mistakes won't create vulnerabilities, but it does create an awareness of areas to focus on in development and testing.
Forrester Research analyst Mike Gualtieri gave a positive write-up to the product recently, describing it as "a unique new tool that helps developers identify and mitigate security risks to make applications more secure from the get-go" in a recent paper. By Gualtieri's reckoning, the tool is the sole resource in the space designed to allow input from a wide range of users: "[It's] the only tool available for both security experts and application developers." Less surprisingly, it's the only tool to use the security development lifecycle (SDL) approach advocated by Microsoft for its own software.
"[The tool] makes threat modeling accessible to application architects and developers, who should perform threat modeling before even a single line of code is written because it will reduce the need for costly refactoring of code later on," Gualtieri advised. "Shops should also perform threat modeling during intermediate code reviews or whenever the design of the code changes, and developers should apply threat modeling to existing applications, as understanding these applications’ risks and vulnerabilities will help developers fix them."
The full SDL approach pushed by Microsoft is highly complex (a fact witnessed in the frequent recent delays in its own releases), but utilising the modeling approach can let companies benefit from the basic concept without having to become bogged down in details. However, Gualtieri suggests that a deeper understanding could pay dividends even it is initially time-consuming: "Many application developers have an understanding of security properties that ends at authentication, authorization, and confidentiality — they might not even think about nonrepudiation or availability."
Of course, modeling can only take you so far, as even an enthusiast like Gualtieri acknowledges:"Your threat modeling efforts will be all for naught if your mitigation strategies don’t find their way into your application code." As with most IT projects, senior executive support for threat modeling will help ensure widespread adoption.
By Microsoft's reckoning, SDL modeling may be of more use for broad business platforms than for tightly defined tools aimed at a very specific business process. "The focus of SDL Threat Modeling is the products we develop such as Windows and SQL Server," Microsoft's Application Threat Modeling blog pointed out in a recent post. "In that space, the final deployment pattern is not known so you don’t know if that software is going to be instantiated to manage business-critical applications with customer credit cards or your nearby cafeteria menu. As such, the focus of the methodology and tool is on the software to try to ensure security of the underlying code."
Version 3 of the modeling tool, which has been in testing for some time, was made available in November 2008. It can be downloaded for free from Microsoft's site, though you'll need a copy of Visio 2007 to actually use it. (Visio is not included in the any of standard Office 2007 bundles, so you'll almost certainly need a separate licence.) Microsoft offers a useful (if slightly cheesey) overview of how to use the product on its site.