Microsoft Security Development Lifecycle (SDL) - Threat Modeling announcement
I have had the pleasure over the past few months to spend some time playing with an early rendition of " Elevation of Privilege: The Threat Modeling Game". According to Adam, "Elevation of Privilege is the easiest way to get started threat modeling". I couldn't agree more. If you have a team that is new to the whole process of threat modeling, you will want to check it out. If you are at RSA this week, drop by the Microsoft booth and pick the game up for free. If you aren't, you can download it here.
EoP is a card game for 3-6 players. The deck contains 74 playing cards in 6 suits: one suit for each of the STRIDE threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege). Each card has a more specific threat on it. You can see a short video on how to play and some more information about the game by checking our Adam's post here. In the end, it is a game that makes it possible to have more fun when thinking about threats. And that's a good thing.
Even more impressive is that they have released the game under Creative Commons Attribution license which gives you freedom to share, adapt and remix the game. So you if you feel you can improve up this, step up and let everyone know!!
Congratulations to the SDL team for creating an innovative way to approach the concept of threat modeling.
The latest beta of the Threat Modeling tool is now available for download at: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a48cccb1-814b-47b6-9d17-1e273f65ae19&displaylang=en
Many bugs previously reported have been fixed, along with support for Visio 2010.
Please give the beta a download and check it out if you have open bugs. Let me know if you have any problems and I'll send it back up the chain within Microsoft!
Happy threat modeling!