At my work we're quite busy implementing SDL (Secure Development Layer) in to our development process. So we're thinking about how much detail we want to model and things like the way we want to document our models. Following the tooling of Microsoft we are testing two tools, the SDL Threat Modeling Tool and the Threat Analysis & Modeling Tool. We have yet to decide which one suits our needs.

SDL Threat Modeling Tool

This tool is an official release from Microsoft. Unfortunately it crashes quite easily. Besides it needs Visio and will only work with Visio 2007.

This tool let you create a high level overview of your application architecture in data flow diagrams. By defining the data flow between the components of the application and pointing out the trust boundaries in the application landscape, this tool will help you point out the spots where security attention is needed. Using the STRIDE method it will help you define threats for every component and possible countermeasures.

The SDL Threat Modeling Tool lacks two things. Sometimes there is a need to go in to more detail. For example defining the technology used in building a component and specific threats for this technology. The quality of the resulting report depends on the knowledge of the one who creates the model. The second thing this tool lacks is the possibility to prioritize the threats. Not every threat is likely to happen (because of other factors) and not every threat has the same impact for the business. Threats with a higher priority demand more attention, while low priority threats can be left unattended and thus saving money or leaving user-friendliness in tact.

Threat Analysis & Modeling Tool

This tool takes an other approach. Starting with the use cases, defining roles and types of data it gives great detail (to the point of CRUD operations) to the application overview. Different than the SDL Threat Modeling Tool the Threat Analysis & Modeling Tool allows you to prioritize threats and define the technology used in you application. The images generated by the tool are a bit fancier trough the use of colored icons.

The downside of this tool is that the generated images aren't easily adaptable and, with a bit more complexity in your application, tend to get confusing. Besides this, the automatic generation of threats gives you a lot of threats, but most of the you will not use. The detail level is sometimes a bit too much.

Conlusion

This leaves me with a tough conclusion. Both tools have useful upsides, but quite annoying downsides. The only preliminary conclusion I can make is that both tools will guide you a little bit and help you with the steps you'll need to take. Using both tools, one for the more high level overview and the other to give your countermeasures a little more detail. This way you'll be able to write the security report your project needs.