Threat Modeling is an important technique that can help improve the security of the applications you're developing. While Microsoft has made some guidance available on threat modeling, including a book from MS Press, and a free tool for threat modeling, any additional help is a good thing, so it's great to see the following guidance from the Patterns & Practices group here at Microsoft on Threat Modeling Web Applications:
Microsoft patterns & practices is pleased to announce the latest addition to our library of architecture guidance:
Threat Modeling Web Applications
What is it
patterns & practices introduces a new approach to threat modeling for Web applications. Threat modeling helps you model your security design so that you can expose potential security design flaws and vulnerabilities before you invest significant time or resources. This approach is integrated into MSF Agile in Visual Studio 2005 and builds on, simplifies, and refines the original six-step threat modeling process from Improving Web Application Security.
This is our first step, in an approach to use modular, type specific, task-based content in a way that's contextual and easily plugs in for tools integration.
The guidance includes:
patterns & practices Team
- At a Glance: http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAglance.asp
- How To: http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAhowto.asp
- Walkthrough: http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAwalkthrough.asp
- Cheat Sheet: http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAcheatsheet.asp
- Template : http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAtemplate.asp
- Template Sample: http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAtemplatesample.asp
- Program Manager: J.D. Meier (Microsoft Corporation)
- Development: Alex Mackman (Content Master), Blaine Wastell (Ascentium Corporation)
- Test: Larry Brader (Microsoft Corporation), Sivanthapatham Shanmugasundaram (Infosys Technologies Ltd)
- Edit: Nelly Delgado (Microsoft Corporation) Sharon Smith (Linda Werner & Associates Inc), Tina Burden McGrayne (Linda Werner & Associates Inc).
Contributors and Reviewers
- Key Contributors/Reviewers: Andy Eunson; Anil John, Johns Hopkins University - Applied Physics Laboratory; Corey Ladas (EEG), Microsoft Corporation; David Raphael, Foundstone Professional Services; Don Wilits, Microsoft Corporation; Edward Jezierski, Microsoft Corporation; Larry Brader, Microsoft Corporation; Mark Curphey, Foundstone Professional Services; Randy Miller (MSF Agile), Microsoft Corporation; Rico Mariani (CLR), Microsoft Corporation; Rudolph Araujo, Foundstone Professional Services; Shawn Veney (ACE Team), Microsoft Corporation.
- Contributors/Reviewers: Brian Cowan; Brian Gran, Ascentium Corporation; Darren Simmonds, Ascentium Corporation; Jan Drake, Ascentium Corporation; Jason Hogg, Microsoft Corporation; Jonathan Wanagel, Microsoft Corporation; Kate Baroni, Microsoft Corporation; Keith Brown, Pluralsight LLC; Maarten Van De Bospoort, Microsoft Corporation; Manoranjan M Paul; Michael Panciroli, Ascentium Corporation; Mrinal Bhao, Infosys Technologies Ltd; Naveen Yajaman, Microsoft Corporation; Pete Coupland, VMC Consulting Corporation.