Threat Analysis and Modeling 3.0 Beta Coming Right Up

Microsoft is kicking its focus on streamlining proactive, rather than reactive, security measures as an integral part of the development process for applications. In this regard, the Redmond company is currently cooking version 3.0 of Threat Analysis and Modeling, a Beta of which is planned for availability at the start of July, 2009. TAM is set up to enable developers to build secure apps from day one. The tool increases the focus on security by helping developers identify potential problems as early as the design process, rather than letting them respond to vulnerabilities with patches once the program has been finalized. In the video embedded at the bottom you will be able to see Anil Revuru, from the Information Security Tools team, explaining TAM and talking about version 3.0.

“Threat modeling is an objective methodology to analyze your applications for threats and identify the mitigation plan or actually define the mitigation plan for the identified threats. It starts by analyzing your high level application architecture using data flow diagrams and identifying the known vulnerabilities in the data paths of the data flow diagram. And essentially it identifies the mitigations and uses those mitigations to ensure that your application is secure,” Revuru stated.

Microsoft is currently offering Threat Analysis & Modeling version 2.1. But at the same time the company is building the next iteration of the tool, namely version 3. In the video, Revuru touches up the evolution of the Threat Analysis & Modeling, and discuses new features such as an online repository for attack countermeasures, automated use cases creation, and composite threads.

“To facilitate the creation and assimilation of threat models, the Microsoft ACE Team created the Microsoft Threat Analysis & Modeling tool. Now nonsecurity subject matter experts can enter already-known data, including business requirements and application architecture, which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce such valuable security artifacts as: data access control matrix; component access control matrix; subject-object matrix; data flow; call flow; trust flow; attack surface; and focused reports,” Microsoft explained.