none
Threat Modeling Tool- Real Life Examples RRS feed

  • Question

  • Hello,

    I first learned about the Treat Modeling Tool a couple of years ago, it was still called TAM at that time. At that time I tried to delve a bit deeper to see if the tool was useful to be included as part of the day to day operations in an ICT environment. Still at that time I found it difficult to evaluate the tool because of the lack of more real world examples. Today I still find it difficult to get really started with the tool because I cannot find (except of the two canonical examples SDL Threat Modeling Tool.tms and SDL_TM_Exercise.tms) anymore examples that would it make more easy to get started. Using the tool I can get a feeling about what it is all about but since "the devil is in the details" I would like to have a bit more background information. It would be nice for example to have some example *.tms files on how to use the tool for some basic application scenarios:

    • Web application with a couple of functionalities targetted at different roles using data in backend repository
    • Web application with a couple of functionalities targetted at different roles using data in backend repository via web service
    • Rich client using web service via intranet
    • Rich client using web service via internet
    • ...

    Thank you in advance.

    Kind regards,

    Mrs. Wilke Jansoone


    Consultant

    Friday, December 14, 2012 10:45 AM

Answers

All replies

  • Thanks for your post Wilke. The SDL Threat Modeling Tool.tms and  SDL_TM_Exercise.tms files distributed with the tool are the only examples we currently have published. We are investigating options for publishing more complex examples in the future; however, we don’t yet have a timeframe or scope identified.

    Tuesday, January 8, 2013 10:11 PM
    Moderator
  • Hello,

    Thank you for taking the time to answer my question. As I stated in my initial question I am not looking for more comlplex scenarios but for some real life examples. For me it seems that the tool is conceivably simple but I cannot bring myself to actually use it because of the lack of some sample scenarios. I find it strange that taking into account the focus on SDL by Microsoft still so little practical informational resources are available. Some of the tools are already out for a couple of years now.

    Kind regards,

    Mrs. Wilke Jansoone


    Consultant

    Wednesday, January 9, 2013 10:10 AM
  • Thanks for the follow-up Wilke. Below are pointers to some additional threat modeling resources that may help in case you have not already run across them (or others reading this thread have not).

    Resources for the Microsoft SDL Design Phase. (There are many relevant links under the step #7 column) http://www.microsoft.com/security/sdl/discover/design.aspx

    The elevation of Privilege card game. http://www.microsoft.com/security/sdl/adopt/eop.aspx

    All SDL Team Threat Modeling Blog Posts. http://blogs.msdn.com/b/sdl/archive/tags/threat%20modeling/default.aspx

    Wednesday, January 9, 2013 6:29 PM
    Moderator
  • Hello,

    Thank you for taking the time to answer my question. As I stated in my initial question I am not looking for more comlplex scenarios but for some real life examples. For me it seems that the tool is conceivably simple but I cannot bring myself to actually use it because of the lack of some sample scenarios. I find it strange that taking into account the focus on SDL by Microsoft still so little practical informational resources are available. Some of the tools are already out for a couple of years now.

    Kind regards,

    Mrs. Wilke Jansoone


    Consultant

    If you're looking for more 'real world examples', I would recommend 3 different resources (two books and one online article):

    -The OWASP Page on Application Threat Modeling (I can't post links, but you can easily find it).  This does not provide all of the things you're looking for, but it does provide a very good example.

    -Threat Modeling (Frank Swiderski and Window Snyder).  ISBN: 0-7356-1991-3.  The book is based around 3 large example scenarios (one of which is a web application).

    -Writing Secure Code, Second Edition  (Michael Howard and David LeBlanc). ISBN: 0-7356-1722-8.  Has a chapter on Threat Modeling that is very good.  This is also referenced in the Microsoft SDL. 

    The books referenced are a bit old, but still very very good.

    Tuesday, February 12, 2013 12:07 AM