A discussion on threat modeling

There is a discussion I had recently with a few folks over email around threat modeling that I thought would be nice to share on this blog. I’ll reduce the discussion down to 3 questions/responses. Question: Where does the line between Threat Modeling and documenting operational best practices begin and end? Response: A good threat…


TAM/TAMe and Other ACE Tools

Mark Curphey (newest member of ACE) recently did a post on a set of tools we have in our portfolio that we’re starting to take out to our customers (including TAMe). Read more here. -Talhah


XSSDetect BETA now available!

I’ve talked about threat modeling being one part of the overall information security puzzle… there are other controls and tools you need to make the process run smoothly. Our team recently released another of these tools called XSSDetect which helps detect Cross-Site Scripting (XSS) problems in .NET code; one of the most common problems in…


Threat Modeling & SDL-IT

A common challenge for folks looking at threat modeling as a control to potentially help them secure their software is setting the correct expectations. So what exactly can threat modeling do for you? In order to answer this question, I think it’s important to first set the context.   Within our team, ACE, everything pretty…


Threat Profile and "Composite Threat"

Threat profile is a very interesting concept that identifies the complete set of threats in a given application context. The Threat Analysis and Modeling (TAM) tool generates a threat profile using an inclusive methodology; in other words, it uses the set of allowable actions to identify possible threats. The TAM tool uses the Subject-Object Matrix…


Create a good threat model in 10 simple steps

How can I get a great and secure product without killing myself?  This is not just a question for how-to diet magazines; it’s a legitimate business problem.  I teach the ACE Threat Modeling class (First Wednesday of every month!), and that is the question I hear most often. How can I make a good, useful,…


Rich Internet Applications – The New Security Frontier

In the past we have been relying on the web browser to provide/restrict the user interface for interacting with applications on the Internet. As security teams slowly work to fix the usual SQL Injection, XSS, Input validation attacks there is a whole new can of worms(or opportunities) waiting just around the corner. This is related…


Enterprise Edition

I recently did a TechNet webcast to talk about how Microsoft IT Manages Security Knowledge for Better Application Risk Management and in it had a chance to demo a near release build of TAM Enterprise. Check it out: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032337409&Culture=en-US Thanks. -Talhah MIr


Threat Analysis and Modeling v2.1.2 Now Available!!!

The new build contains a few fixes including one for problem that caused the threat model documents to get corrupted.  http://go.microsoft.com/fwlink?linkid=77002 Thanks. -Talhah


Tips on Threat Analysis and Modeling Tool

Some tips to work with Threat Analysis and Modeling Tool, these could be useful specially when working on larger threat models. Tool support’s drag and drop functionality, just drag an item to its parent to copy the item. You can convert user roles into service roles by dragging a user role onto “Service Roles” node…