I have a suggestion for a future release. One thing I don't like in the SDLTM is that as I draw a DFD I regularly move things around, add and delete components etc. Normally I completely delete the sample DFD and start from scratch.
This leaves the ID numbers of each component disjointed and all over the board. I just noticed on a new thream model I was working on, by the time I actually generated the TM report I had IDs ranging from 26 to 289. (Ya I refactored the DFD that much).
It would be nice if we could "reindex" the IDs once the main DFD is done and "locked". In this way, we don't get this disjointed numbering. And it would let us later, as we modify the DFD to keep the OLD IDs and continue on from where we left off.
Can anyone think of a reason NOT to do it that way?
- 移動 Hengzhe Li 2011年6月21日 12:18 Forum Consolidate (From:Microsoft Security Development Lifecycle (SDL) - Threat Modeling)
Dana, I haven't worked with the SDL TM tool extensively, so perhaps this is just a dumb question that wouldn't need to be asked if I was more familiar...
Why are the ID #s so important, that you'd want to reindex them in the first place? Aren't they just a minor index value that are meant to create a unique reference for each element/object (much like SharePoint has an ID field that auto-increments, but which doesn't collapse down again if individual items are deleted)?
Or are these ID #s so visible that they become a primary reference point when visually scanning the DFDs, and they're more distracting than helpful when they're so prominently displayed?
If it is something like the latter, wouldn't it be nearly as viable an alternative to make the number font smaller, or to hide these values entirely from the visual front-end?
When you produce the Threat Model document report, each item is clearly defined with the ID as a primary piece of information. Whenever I read through one, in the back of my head I ask myself "why aren't these in sequence... did something get deleted?". You would never know the way it indexes it. More importantly, I think its a usability thing. No one wants to open a threat model and see an item ID of 200 when there is really only 10 items in the DFD. People new to the tool might be overwhelmed if they really think there are 200 items.
If it was properly indexed, I don't believe this sort of confusion would exist.