Channel9 Interview

I did an interview a while back on Channel9 on our threat modeling tool and process… it went up a while ago and I completely missed it. It’s up and available for viewing here:  Thanks.  -Talhah Mir


Threat Anlysis and Modeling v2.1 Now Available!!!

[UDPATE] The download is now live.  [UPDATE] Please send feedback & feature requests to ——————————————————-  Threat Analysis and Modeling Tool v2.1 is now available here. This release comes with some new features and lot of updates to existing features. This version paves the path to the next iteration of the tool (TAM Enterprise version). I…


TAM v2.1 Sandboxing – Part II – Risk Measurement Plug-in

TAM v2.1 introduces a new security model for the plug-in under which the behavior of the plug-in can be controlled by the user. TAM v2.1 allows user to configure the permission set which is granted to the plug-in when it is loaded. From a usability perspective this has to be simple and effective for user…


ACE Team on Channel9

ACE Team is on Channel9. This is the 1st part of the interview (there is a part on the TM tool as well 🙂 ). Stay tuned… -Talhah Mir


TAM v2.1 Sandboxing – Part I – Risk Measurement Plug-in

TAM v2.1 supports multiple risk measurement techniques by allowing the user to specify a plug-in to measure the risk and save the relevant data along with the threat model. This two part blog helps you to understand the security impact of plug-in system in TAM. In order to understand the security impact, first we need…


Application security – The ACE View

As business process automation started to take hold in the early 1990s, organizations began to replace people with software programs. These early software programs automated some of the not so important business processes and those that could still be performed manually even if these software programs failed. As time went by and enterprises realized significant…


Security lock down

As a part of the MSDN Security on the Brain Series of Conferences, there is a virtual conference on September 27th. More information can be found here. MSDN – Virtual Security Conference I will be presenting a one hour session on Threat Modeling starting at 3pm EST. Please note the timing on that URL is…



Talhah has been blogging about Knowledge management and translation and some other stuff that nicely leads onto the larger picture of Application Risk Management. I will be doing a webcast presenting a high-level overview of Application Risk Management – the need for it, the importance of it and some preliminary findings on how to tackle…


Risk Measurement Plug-in Development

Threat Analysis and Modeling Tool (TAM) tool uses a interface to provide risk measurement plug-in functionality. Interface ICalculateRisk can be found under ACEServices.Torpedo2.TMObjectModel namespace. This namespace is available by importing TMObjectModel.dll assembly which can be found in the installation directory. ICalculateRisk.CalculateRisk  is the single method in the interface which needs to be implemented in order…


Customizing TAM drop-downs

We’ve been getting a lot of queries around the drop-downs in the TAM tool to define things like Authentication Mechanism for roles or selecting Service Type or Technology for Components. The items in these lists are customizable and can be done so by editing the following XML file:   <home directory>\Application Data\Microsoft\TAM\Temp\AppLists.xml   -Talhah Mir