New Microsoft Threat Modeling Tool 2014 Now Available

By Tim Rains

April 15, 2014

Influence operations

Today we’re announcing the release of the Microsoft Threat Modeling Tool 2014. This is the latest version of the free Security Development Lifecycle Threat Modeling Tool that was previously released back in 2011.

More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating. Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.

We have been threat modeling at Microsoft for more than 10 years. It is a key piece of the design phase of the Microsoft Security Development Lifecycle (SDL). In 2011 we released the SDL Threat Modeling Tool, free of charge, to make it easier for customers and partners to threat model as part of their software development processes. The tool has been very popular and we have received a lot of positive customer feedback in addition to suggestions for improvement.

We have implemented many of the suggested improvements in the new version of the tool, now called the Microsoft Threat Modeling Tool 2014. Highlights of the new features in Microsoft Threat Modeling Tool 2014 include:

New Drawing Surface Previous versions of the Threat Modeling Tool required Microsoft Visio to build the data flow diagrams, this new release has its own drawing surface and Visio is no longer needed.
STRIDE per Interaction Big improvement for this release is change in approach of how we generate threats. Microsoft Threat Modeling Tool 2014 uses STRIDE per interaction for threat generation, were past versions of the tool used STRIDE per element.
Migration for v3 Models Updating your older threat models is easier than ever. You can migrate threat models built with Threat Modeling Tool v3.1.8 to the format in Microsoft Threat Modeling Tool 2014
Update Threat Definitions We over further flexibility to our users to customize the tool according to their specific domain. Users can now extend the included threat definitions with ones of their own.

For more details on the new features and functionality of the Microsoft Threat Modeling Tool 2014 please see the SDL blog.

You can download the tool, free of charge, here.

Tim Rains
Director
Trustworthy Computing