Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Get Free Quotes Post Your Requirements

Microsoft sdl threat modelling tool

18/11/2021 Client: muhammad11 Deadline: 2 Day

Microsoft Threat Modeling Tool 2016

Getting Started Guide

Microsoft Trustworthy Computing

Contents

Overview 2

Installation 2

For Previous Users of Threat Modeling Tool 2

System Requirements 2

Download Link 2

Uninstall 2

How to Run Threat Modeling Tool 3

Starting Threat Modeling Tool 2016 3

Creating a New Threat Model 3

Opening an Existing Threat Model 10

Converting Previous Threat Models to latest Format 11

Overview of Template 13

Creating a New Threat Template 13

Open an Existing Template 23

Upgrading an existing Threat Model to use New Template 25

Analysis of Threat Modeling Tool Output 27

Analysis View 27

How to File Bugs on your Threat Modeling Tool Security Issues 28

Support 30

Overview
The Microsoft Threat Modeling Tool (TMT) 2016 is designed to guide you and your product team through the threat modeling process. TMT functionality includes:

An easy drawing environment.

Automatic threat generation using the STRIDE per interaction approach.

Define your own template for threat modeling

An option for user-defined threats to be added.

Using Microsoft Threat Modeling Tool (TMT) you can graphically identify processes and data flows that comprise an application or service.

Installation
For Previous Users of Threat Modeling Tool
If you have TMT 2014, it must be un-installed before installing TMT 2016. All the models created using TMT 2014 can be opened using TMT 2016.

System Requirements
Operating System Support
The table shows the operating systems supported by Microsoft Threat Modeling Tool 2016.

Operating System

Supported

Windows 7

Yes

Windows 8

Yes

Windows 8.1

Yes

Windows 10

Yes

Table 1 Supported Operating Systems

Download Link
Microsoft Threat Modeling Tool 2016 and supporting documentation can be downloaded from http://microsoft.com/security/sdl.

Uninstall
Go to Control Panel > Programs and Features.

Right-click Microsoft Threat Modeling Tool and select Uninstall.

How to Run Threat Modeling Tool
This guide will provide basic guidance on how to create a new threat template and a new threat model. This Getting Started Guide covers:

1. Creating a new threat model

Opening an existing threat model

Converting a threat model from TMT(.tm4) format to the new TMT (.tm7) format

Creating a new threat template

Opening/Modifying an existing threat template

Upgrade threat model to new template

For more details about TMT, see Microsoft Threat Modeling Tool 2016 User Guide, available at http://microsoft.com/security/sdl.

Starting Threat Modeling Tool 2016
To start TMT, click the “Microsoft Threat Modeling Tool” desktop shortcut.

You can also start TMT from the command line. Open a command window and execute:

%programfiles(x86)%\Microsoft Threat Modeling Tool 2016\TMT7.exe

Creating a New Threat Model
This section describes the steps to create a new threat model.

1. Start TMT. From Home screen, browse a template you want to use for the threat model.

1. Click on Create a Model from home screen. This brings up the drawing surface where you will create the data flow diagram.

Figure 1 Threat Modeling Tool Drawing Surface

Drawing Your Model
Draw your data flow diagram by selecting elements from the Stencils pane. You can select processes, external entities, data stores, data flows, and trust boundaries.

1. To select an element to draw, click on the corresponding icon in the Stencils pane. You can also select an element from the Stencils pane and drag it across the drawing surface.

1. Right-click on the drawing surface to bring up a context menu that allows you to add a generic element from each Stencils category

1. To add a data flow between the two most recently selected objects, right-click the drawing surface and select Connect or Bi-Directional Connect. Alternatively, select the appropriate data flow from the Flow tab in the Stencils pane and place it on the drawing surface.

Figure 2 Sample Threat Model Showing a Data Flow

To more fully describe the data flows in your system, specify attributes for the elements in your diagram. Right-clicking an element to convert it to another element type. If necessary, convert it from a generic element to a specific type of process, data flow, data store, external element, or trust boundary. For example, a generic data flow can be converted to HTTPS. Additionally, you can edit the properties of the element directly in the Properties pane.

Figure 3 Identifying a Data Flow as HTTPS

Analyzing Threats
When you have completed your data flow diagram, switch to the Analysis view by using one of the following methods:

From the View menu, select Analysis View.

Click the Analysis View button on the toolbar.

Figure 4 Selecting Analysis View from the Toolbar

Entering Mitigation Information
For each of your threats, enter information about how to mitigate the threat:

1. Determine if the threat requires mitigation and categorize the mitigation by selecting one of the following options from the Threat Status dropdown list.

6. Not Started

6. Needs Investigation

6. Not Applicable

6. Mitigated

Figure 5 Selecting Mitigation Information

Select one of the following threat priorities from the Threat Category dropdown list.

d) High (default)

e) Medium

f) Low

Enter your mitigation information in the Justification for threat state change text box.

NOTE: Justification is required for threats in the Mitigated or Not Applicable states.

Figure 6 Enter Justification for Threat State Change

Reviewing Threats
The threat list is sortable and filterable. You can click on any column header in the threat list to sort by that column. You can click on the triangles on the column headers to filter as many columns as you like. The clear filters button at the bottom of the threat list will clear any filters. You can drag column headers to reorder them and right click column headers to hide or view them.

Figure 7 Filter the Threat List

Finish and Create a Report
After all threats have been addressed, finish your threat model:

1. If you have not done so already, enter general information about the threat model by selecting Threat Model Information from the main menu. This information includes:

a) Review participants

b) A brief description

To save the model, select File >Save As.

To create a report, select Reports >Full Report.

Figure 8 Sample Threat Modeling Report

Opening an Existing Threat Model
1. Start TMT, and from the Start screen, select the model you want under Recently Opened Models. If the model is not shown, select Open A Model and browse to the file.

1. To update the model, follow the steps described in “Creating a New Threat Model”.

Figure 9 Initial screen showing Recently Opened Models selected

Converting Previous Threat Models to latest Format
You can convert your previous versions threat models to newer format.

If previous threat model is based on TMT 2014 (.tm4)

1. Click on Open A Model on Home Page screen

1. Select your .tm4 file after expanding file type drop down on file selection dialog box

Figure 10 Select .tm4 file

TMT will automatically convert .tm4 file to .tm7 file.

Save the file from File->Save (Save As) menu items.

Note: Your converted diagram may not look exactly the same as the original diagram, but all the elements should be present and connected correctly. Automatic threat generation is disabled for converted threat models. However, you can enable automatic threat generation through the Settings menu.

Overview of Template
The Template specifies the set of elements, attributes, and threat definitions used by the Threat Modeling Tool to create threat models. Most of the time default template shipped with TMT is sufficient to analyze threats for your products however sometime depending upon your product requirements e.g. online services often also need to consider the business impact and privacy implications of the data managed by the service. In this case default template is not sufficient and new template is needed. Open template can be used to edit an existing template and new template can be used to create an altogether new template. In order to create threat models which are based on template created by you, use Browse button from home page to select required template.

Creating a New Threat Template
This section describes the steps to create a new template.

1. Start the Threat Modeling Tool and from the Home screen click Create New Template.

1. Template Information dialog box pops up. Fill Title which you need for template and also version number for your template in Title and Version fields respectively.

Figure 12 Template Information

Click Ok on Template Information dialog box. This brings up Template Editor which you can use to create Stencils, Threat Properties, Threat Categories and Threat Types. During the template creation process, if some error occurs, message for the same will appear in Message tab.

Figure 13 Template Editor

Creating a Stencil
Stencils are the basic building blocks for creating threat models. Stencils tab can be used to create two types of stencils namely Stencils and Derived Stencils. These stencils will show up in the stencil pane of threat model window while creating threat model.

1. Click the Add Stencil button at the top of the Stencils tab to create a Stencil. A new stencil gets created with a default name New Stencil. Modify the name as per your requirements.

Figure 14 Stencils Tab

Choose Image for the stencil.

Choose Image Location for Image. This location will be used to display image while creating threat model.

Assign Behavior and Shape for the stencil.

Define Width and Dash attributes of Stencil.

Define Properties and Values for each property for stencil by clicking Add Property button below the name of the stencil.

Optionally you can create Derived Stencils. Click on a Stencil and click the Add Derived Stencil button at the top of the Stencils tab.

The derived stencils inherit properties of the parent. Additionally Standard Stencils can define their own properties.

Figure 15 Standard Elements

You can reorder properties and properties values.

Creating Custom Columns
By default Threats have Description, Short Description, Justification, Interaction and Priority columns. If you click on Threat Properties tab, these rows are shown greyed out except Priority column since these cannot be modified. These properties will appear as columns in the threat list and threat properties panes in the analysis view of the threat model unless you have marked them as hidden.

Figure 16 Threat Properties

1. You can add custom threat properties by clicking on Add Property button on the Threat Properties page. The system creates a new custom threat property with the name New Threat Property.

1. You can modify the name by clicking on the Name field and modifying it. Name is compulsory and can’t be empty.

1. There are two types of threat properties. One is Text and the other is List. The Text type is used when the property takes just one value. The List type is used when the property can take any one of the multiple values present in the list.

1. The Type is by default set to Text. If you select Text then value field gets disabled. This is because the actual value will be given when the property will be used while defining a new threat type.

1. If you don’t want to show this threat property as column in Threat List in threat model, choose Is Hidden as selected.

1. When the type is set to List, the user can add property values by clicking the Add Value button. By clicking the Delete Value button, one is able to delete property values.

Defining Threat Category and Threat Types
Go to Threat Types tab to create New Threat category and New Threat type. TMT compares the stencils on the DFD in the threat modeling design view against the threat types to determine which threats to create in analysis view.

Figure 17 Threat Category

1. Click on New Category button on Threat Types tab to create new threat category

1. Click on New Threat Type button to create a Threat Type under a Threat Category

Figure 18 Threat Types

Define Title of Threat Type by clicking Title text box on the UI

Define Include and Exclude expressions for Threat Type. Expressions reference objects in the design view to determine when to create a threat in the analysis view. Grammar for expressions is as follows:

The grammar for creating the Threat Expression is given below.

::= { }

::= [.] IS | Flow crosses | [ NOT ]( )

::= Source | Target | Flow

::= [Stencil Property Name]

::= ‘Stencil Property Value’

::= [Stencil Name]

::= AND | OR

Define values for other columns for the threat like Description, Justification, Priority and any other custom column you might have defined in Custom Column screen. The values in the fields can be plain text describing information about the fields corresponding to threats. You can add presets. Presets helps in creating dynamic text for the field. E.g. if you want to define text for the Description field which contains information about the flow for the threat you can define text for the field like “Description of threat for {flow.Name}”. In the analysis view when the threat is generated, the preset expands to get name of the flow the threat applies to.

Error Reporting
The fourth tab present in the template editor is the Error Messages tab. This tab is not used for your configuration but is a notification window that indicates errors or warnings that have occurred in the system based on some user configuration. E.g. while creating a stencil there are 2 mandatory fields which need to be configured. If either of these 2 is not set by the user then an error message is logged in this window indicating to the user that there is an error.

The Error message window is a dock able window. This means that the error message window can appear as a dock able window upon double-clicking any error message in the Messages Tab will cause the tab to turn into a dock able window and attach itself to one of the 3 tabs i.e. Stencil, Threat Types or the Threat Properties.

The user can then use the arrow keys or the mouse to select the error notification from the list and look at the control which is causing the error. The control in question is highlighted using a red colored border and the parent object (Stencil, Threat Type) is highlighted using a red colored box.

The Messages window allows the tool to identify any errors, warnings or inconsistencies in the Template. In order to use the template in Threat Model creation, all the issues appearing in Message tab must be fixed.

Figure 19 Error Reporting

Save Template
1. Click on the menu button, and then click Save Page. The Save As dialog window will open.

1. In the dialog window, type in a name for the page you want to save and choose a location. In the Save as type drop-down, choose the type of file that you want to save the page as: TB7 files(*.tb7)

Figure 20 Save Template

Click Save. A copy of the page will be saved as the type you specified in the location you chose.

Open an Existing Template
You can open an existing Template to view/edit the template.

1. Click on the Open Template on Home Page. The Open dialog window will open.

Figure 21 Home Page

In the dialog window, type in a name for the template you want to open or you can select template file from given list. In the File name drop-down, choose the tb7file that you want to open the page as: TB7 files(*.tb7)

Figure 22 File Open

Click Open . A tb7 file will be opened as the type you specified in the location you chose.

To update the template, follow the steps described in “Creating a New Threat Template”.

Alternately you can double click on template file and it will open template in template editor if TMT is installed on the machine.

Upgrading an existing Threat Model to use New Template
You will be encountering scenarios where a threat model was created using some version of template. Later on a security team/PM or other teams in the group may create a refined template which covers more security cases. You might want to upgrade your previous threat models to this new template so that if there are more security issues, you can identify them. The apply template feature applies a new template to an existing threat model.

1. Click on Open A Model on home page

1. Go to File -> Apply Template

Figure 23 Apply Template

Select the template which you want to apply to upgrade threat model to

Select Yes on the Confirmation Dialog box and also make a choice to delete the stale threats or keep them

Figure 24 Confirmation Dialog for Upgrade

Save upgraded Threat Model using File -> Save/Save As or Ctrl + S

Analysis of Threat Modeling Tool Output
Analysis View
The Analysis view allows you to analyze the threats generated for your diagram, identify which threats are not applicable, require investigation, require mitigation, or have been mitigated and verified. For models that have multiple diagrams, the threat list displayed is global and includes threat entries for all diagrams.

Threat Information
After a model is drawn, you will be presented with a list of threats. You’ll find the list of threats organized in a grid that shows for each threat:

Threat Title

Threat (STRIDE) Category

Justification

Interaction

Diagram

Last modified

Threat State

Threat Priority

Each threat will have a Description field, which will have content for every auto-generated threat and a Justification field in which mitigation information can be entered by the user.

For newly generated threat models, the setting for auto-generation threat mode is enabled by default. For migrated threat models created with Threat Modeling Tool 3.1.8, the auto-generation threat mode is set to off. To turn it on go to Settings and select Enable Threat Generation. Each threat will have options that enable you to manage the identified threats. By default, the state of all newly generated threats is Not Started.

Default state for newly generated threat

Mitigation implemented and verified

Mark threat as needs mitigation

Mark threat as not applicable

Threats are generated using STRIDE per interaction. An interaction is defined by two elements connected by a data flow, and may include a boundary. If an element is marked Out of Scope threats will still be auto-generated for that interaction but the element itself will have visual feedback that is marked Out of Scope. You can also add a user-defined or custom threat by right-clicking on the desired data flow in the interaction and selecting Add User-defined Threat. When you do so you’ll find your custom threat at the end of the existing threat list. Threat priority is by default set to High. As applicable, it can be changed to Medium or Low.

Threat List Filter
Threat List Filters are available on selected columns. All the columns where threat filter is possible, filter icon is displayed. Clicking on this filter button will show available options for threat filtering e.g. clicking on filter button against Category button displays options as shown in below screen

Figure 25 Threat List Filter

How to File Bugs on your Threat Modeling Tool Security Issues
You may want to track the security issues found by Threat Modeling Tool in your team’s work item tracking tool (i.e. TFS or VSOnline).

To create a bug from Analysis view:

1. Select a threat to create a bug for.

1. Right-click the threat and select Copy threat(s).

Figure 26 Copying a Threat

Your threat information is copied to the clipboard in the following format:

THREAT: Spoofing of Destination Data Store Generic Data Store

CATEGORY: Spoofing

DIAGRAM: Diagram 1

INTERACTION: Generic Data Flow

PRIORITY: High

STATE: Not Started

DESCRIPTION: Generic Data Store may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Generic Data Store. Consider using a standard authentication mechanism to identify the destination data store.

JUSTIFICATION:

You can now paste the copied information in a bug tracking system of your choice.

NOTE: You can select all threats in your list to be copied to the clipboard by pressing CTRL+A then and right-clicking Copy Threat(s).

Select Copy Custom Threat Table to use the clipboard content to paste into Microsoft Excel and then bulk-import into a bug tracking system of your choice. You can do so for a single threat or all of them by selecting all entries using CTRL+A.

Figure 27 Edit Custom Threat Table Format

Support
For support, please visit the following links:

Microsoft Security Development Lifecycle

Microsoft Trustworthy Computing Blog

MSDN Forums for SDL

Copyright © 2015 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples are for illustration only and are fictitious. No real association is intended or inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Trustworthy Computing | Microsoft Threat Modeling Tool 2016 Getting Started Guide

22

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!
Answer.docx Turnitin Report.pdf Contact Writer For Solution Contact Writer For Solution

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed
Order Now

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed
Order Now

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed
Order Now

6 writers have sent their proposals to do this homework:

Math Guru
Accounting & Finance Specialist
ECFX Market
Isabella K.
Chartered Accountant
Homework Tutor
Writer Writer Name Offer Chat
Math Guru

ONLINE

Math Guru

As per my knowledge I can assist you in writing a perfect Planning, Marketing Research, Business Pitches, Business Proposals, Business Feasibility Reports and Content within your given deadline and budget.

 $19 Chat With Writer
Accounting & Finance Specialist

ONLINE

Accounting & Finance Specialist

I am an academic and research writer with having an MBA degree in business and finance. I have written many business reports on several topics and am well aware of all academic referencing styles.

 $32 Chat With Writer
ECFX Market

ONLINE

ECFX Market

I will provide you with the well organized and well research papers from different primary and secondary sources will write the content that will support your points.

 $50 Chat With Writer
Isabella K.

ONLINE

Isabella K.

I have worked on wide variety of research papers including; Analytical research paper, Argumentative research paper, Interpretative research, experimental research etc.

 $20 Chat With Writer
Chartered Accountant

ONLINE

Chartered Accountant

After reading your project details, I feel myself as the best option for you to fulfill this project with 100 percent perfection.

 $46 Chat With Writer
Homework Tutor

ONLINE

Homework Tutor

I have read your project description carefully and you will get plagiarism free writing according to your requirements. Thank You

 $27 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Post your homework

Similar Homework Questions

What is random assignment in psychology - Salesmanship - Admission essay - Nsw swimming pools register - Bedford council tax number - Need help with English Comp. II - Part 2: BRD - Nhsp online application form - Due 10/19 @ 11:30 PM (EST) No more than 2100 words (APA format) - Which of these statements about corporate bonds is correct - Dream chocolate company choosing a costing system answers - Quantitect reverse transcription kit - Please read question in comment section 500 words. - Crystal director isagenix income - Center of pressure of semi circular plate - Middle range theory for nursing third edition pdf - Suppose an investment of 8200 - Washington state university chemical engineering - Zhang ailing sealed off text - Open university teaching assistant - The ways we lie multiple choice answer key - Food culture - Dream it build it drive it - Royal green jackets museum - East huntspill primary school - Shield of achilles analysis - Reflection2 - Rachel mcdowall street dance - Water potential of potato - Xxio non conforming drivers - Nursing care hours per patient day calculator - What physical property most distinguishes biotite mica from muscovite mica - Strategic management multiple choice questions and answers - Harvey norman whyalla phone - How do lithosphere and biosphere interact - Early Childhood Education Essay specifically for kindergarten - Designing team and team identity articles - Serial position effect experiment independent variable - Mexican movies by sandra cisneros - Titration for acetic acid in vinegar lab - The relationship between project management and overall performance of a company. - Pick one of the following terms for your research: Whistle-blowing, motivation, decentralization, group norms, or needs. - Ebay inc 2009 case study - Play comparative and superlative - Selling Quillbot premium account - Chase meadow health centre - Geoboard area and perimeter worksheets - Creating and leading effective teams - Financial markets and institutions 9th edition test bank - What is the drill press used for - Capella university accounting - Concept analysis nursing examples - What is an example of a physical contaminant servsafe - Potentiometer measurement of resistance experiment - Personal and professional goals in nursing - Simple pendulum lab report discussion - Business statistics cheat sheet - Bullet ant glove rite of passage - C grade film meaning - Tools for supporting the aaa framework - How would you describe the organizational culture of your workplace - Physics aqa data sheet - Chinese loan words in english - George and jones understanding and managing organizational behavior - Tax Review Project - Corresponding alternate interior alternate exterior or consecutive interior - What type of seizure was this child probably experiencing - Psychology - Post audit process in capital budgeting - Woodcut of patriot woman - Homework assignment - International human resource management a multinational company perspective - General survey nursing example - Sylvestrian centre holiday club - We are the reason avalon accompaniment track - Describe a memento which has an impact on your life - Integral of a step function - Triumph of the nerds part 1 summary - The impact of covid on cancer patients - Mad catz strike te switches - Are all irrational numbers surds - Cgs unit of light - After finding an album cover to analyze, find a review of the album from a credible music publication or website. Start your search for a review on https://pitchfork.com/ - Primate observation assignment - Irac method case brief - Stem cells bbc bitesize - Presented below is a list of accounts in alphabetical order - Certificate 3 engineering fabrication - Hummel winters insurance milan in - How does jean watson's theory influence current practice - Friends of kings park native plant sale - Registered nurse rn preload and afterload - Ib tok essay questions - Welches fencing lostock hall - Rams mortgage corporation limited - Star wars ccg players committee - Hyundai imax luggage space - How does listing effect the reader - Distributed database management system book pdf - Assignment: The Nurse Leader as Knowledge Worker

100% Secure Payment!

With secure payments and hundereds of professional tutors to choose from, TutorsOnSpot.Com is the simplest and safest way to get help from verified tutors.

Disclaimer: Tutors are not employees or representatives of TutorsOnSpot.Com

TutorsOnSpot.com

Online Tutoring Since 2013

Worlds No. 1 Online Tutoring Platform

Join The Community Already Trusted By Thousands Of Students Like You

ABOUT:

About TutorsOnSpot

Help & Support

ABOUT TUTORS:

Become A Tutor