Threat Modelling Tools Analysis 101

Abstract

An interconnected world with an increasing number of systems, products and services relying on the availability, confidentiality, and integrity of sensitive information is vulnerable to attacks and incidents. Unfortunately, the threat landscape expands and new threats, threat agents and attack vectors emerge at all times. Defending against these threats requires that organizations are aware of such threats and threat agents. Threat modeling can be used as part of security risk analysis to systematically iterate over possible threat scenarios.

The motivation for this research came from the constantly growing need to acquire better tools to tackle the broad and expanding threat landscape. One such tool which help to categorize and systematically evaluate the security of a system, product or service, is threat modeling.

Problems With Shifting Left in Designing Secure Applications

It is believed that secure systems are a corollary indicator of high-quality systems and hence it adds value to catch these defects early in the system design and development stages. However, every Engineering team and Technical Architect is always trying to find a solution to implement threat modelling into their existing DevOps Ecosystem.

The key challenge is finding ways to adopt a security framework for designing robust enterprise applications, as it is becoming difficult to stay updated with ever changing attack surfaces and threat and vulnerabilities.

Available Solutions, Benefits, Pitfalls, and Recommendations

As a DevSecOps practitioner and Security Architect I will like to share some of the key solutions available and their benefits and pitfalls through this series of evaluating different tools. I used hands on assessments and used a parameterized technical analysis and rating system for this evaluation using business cases from the emerging techs and industries.

The key factors considered into this analysis is given in the table below. I tried to conduct and in-depth analysis and recommendation and find that it is going to be useful for teams who are planning or in the process of shifting left in their organizations or projects towards DevSecOps. The Key Audience for this report is Developers, Technical Architects, Business Analysts, IT and Operations Teams of different experience levels.

Microsoft Threat Modelling Tool 2017 

We started off from evaluating the two common and most easily available Threat Modelling Tool. In this series I am presenting my opinion on MSMT 2017. I tried to develop and execute a threat model for an IoT Data Flow to study the usability to identify the Threats, Vulnerabilities and Remediation proposed by these tools below.

I tried to create the data flow using Microsoft Threat Modelling Tool and below is my personal finding and opinion on the benefits and pitfalls of using the tool.

Microsoft uses Microsoft Security Development Life Cycle (SDL) to identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. The Microsoft Threat Modelling Tool (MTMT) provides a standard notation for visualizing system components, data flows, and security boundaries.

The tool provides a design view to add models. You can use the canvas space to drag and drop elements from the sidebar. Drag and drop is the quickest way to build models. However, I found certain challenges in designing the model in Design View.

I was able to create a similar data flow diagram but I also wanted to create flow boundaries. The stencil allowed me to add the same however, I was not able to easily modify the size or expand the boundary. This can lead to leaving more vulnerabilities in the application when we move forward to the analysis view. There are not a lot of stencils available in default download. However, you can add more templates from GitHub specifically targeted for Azure environments.

https://github.com/AzureArchitecture/threat-model-templates

When I further moved into the analysis view, we found the following analysis based on STRIDE Framework which is configured within the application and is one of the popular Threat Modeling Frameworks.

In order to add new framework, the tool provides a create your own stencils and templates.

A detailed view of the Threats identified by the tool and the elements involved. You can click to see the details in the property box below the table.

It also provides the mitigation guidance and the SDL phase Impacted with the Threat along with its severity.

I found the following outcome from my analysis of using the tool.

Key Benefits

1. Drawing a Diagram Quickly – The drag and drop elements provides a quick way to add elements to the data model.
2. STRIDE per Element: Guided analysis of threats and mitigations
3. Reporting: Security activities and testing in the verification phase
4. Marking Out of Scope: The ability to mark certain elements out of scope adds value for incremental threat analysis or when different teams are involved in Threat Modelling. Teams can choose their area of scope.

Pitfalls

1. No integration with CI/CD Pipeline.
2. Boundary Definitions did not work properly which can create more issues to look at than the actual to mitigate.
3. Usability of the available stencils as they were primarily designed for DFD’s.
4. The graphical representation does not have many customizations for presentation to different audience.

Here is my final Scoring for the Microsoft Threat Modeling tool.

My conclusion, to begin with, and gaining experience in Threat Modelling this is a good tool to use to initially capture some definite security requirements which can be added to your PBI’s and can be taken care of during the sprints.

We continue to focus and strive to build solutions for the most critical development and operations for the product and engineering teams and will continue to bring you across the next 101 on OWASP Threat Modelling Tool.