The Threat Modeling Tool implements one way to derive threats (potential security problems) from a system specification and this is via Data flow Analysis (DFD). As shown in the screenshot above, we can specify our system via DFD logic within the tool, when we are ready we switch in the analysis mode and see a couple of identified threats based on our DfD diagram.
The functionality described above is basically how all versions of this tool had worked for the last 10 years it exists. The 2016 version, published last November, has one new great feature that distinguishes it from all the others though: It now allows you to completely change the XML based templates an thereby implement own stencils, properties and, most importantly, threat logic. That works actually really great, since Microsoft also included a quite usable threat template editor into its tool.
Customizing Threat Logic
Before we start implementing our own threat logic we must understand how DfD based threat logic is expressed. In general, rules can be formulated as followed:
Basically everything that you can put in this logic you can have checked by Threat Modeling Tool 2016, both as include and exclude statements. Especially the use of custom attributes works really great for putting all kind of logic into that tool (e.g. “Uses PHP” for a stencil “Web Application”. As you can see it from the logic above, stencil always have a parent.
This logic can be used to identify the threat of data sniffing.
In case of the stencil “Web Application” this is “Generic Process”. All rules that matches the parent automatically matches child stencils such as the web application. This allows you to define own custom stencils that will automatically derive all threat logic that matches its parent. Unfortunately there is only one level available, so a child stencil cannot have another child that restricts the threat logic a bit.
The tool itself can be downloaded here. All you need to be able to work with it is a Windows system.
In addtion, I’ve created a couple of sample models and a reduced template for web applications that you can all download from my github page.
Please be aware that if you want to replace an existing template you have to change the template id within the model file (both XML). Unfortunately the tool does not allow this within the GUI. I’ve describe the detailed steps for this on the github page referenced above.
Although it still has some limitations, Microsofts new Threat Modeling Tool is a good anf free tool for creating simple DfD based security diagram and threat models. It becomes a great tool when you are using its new customization capability that allows you to create your own custom threat templates, include all kind of stencil and threat logic that are specific to your organization. I highly recommend to make this effort because the existing logic is rather limited.
If you feel that some threats identified by this tool make no sense, just look at the threat logic within the template and perhaps change it if not suitable for your organization.
Besides automatically identifying threats from a DFD diagram, this tool has one great additional implicit use: Talking about interactions and data flows a system has with developers and architects often results in a lot of “aha” moments and the identification of security problems that were not aware to anyone.