Even though this blog’s focus has always been the ACE Threat Modeling tool and methodology which is aligned to our SDL-IT process we use for line-of-business application in Microsoft, there is another security team in Microsoft dedicated to SDL. And as part of that process, they are getting ready to release the latest incarnation of their threat modeling tool.
The man behind that tool is Adam Shostack who we’ve been working with now for some time see how we can coordinate our efforts and provide better language and messaging around the two tools we have. Progress is being made on that end as we continue to work on our respective areas for threat modeling.
At a high-level, here’s one way to think of the different focus of the two tools.
The focus of SDL Threat Modeling is the products we develop such as Windows and SQL Server. In that space, the final deployment pattern is not known so you don’t know if that software is going to be instantiated to manage business-critical applications with customer credit cards or your nearby cafeteria menu. As such, the focus of the methodology and tool is on the software to try to ensure security of the underlying code.
In the LOB-space, we deal with applications with business objectives clearly defined, deployment pattern well understood and, most importantly, a good understanding of the data assets being managed by the application. Examples could be the application we use to manage our expenses, manage our HR data, or yes, the application we use to look up the menu of our nearby cafeteria. So in this context, we take a deliberate, asset-focused approach in trying to understand the business risk in the application and help identify controls needed to manage that risk.
The tool should be out by November.