Yesterday, we posted Frank Swiderski’s excellent Threat Modeling Tool. We’ve been using this internally to do threat models for several months and now the tool is out of beta and ready for the world. Frank’s new book, Threat Modeling should be out soon.
Threat Modeling ToolIf you’re new to threat modeling, check out the Threat Modeling Chapter from Improving Web Application Security: Threats and Countermeasures. You’ll also want to check out Chatper 4 of Writing Secure Code, Second Edition. Mike has a post on this as well.
The Threat Modeling Tool allows users to create threat model documents for applications. It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.