This article in our series focused on Microsoft’s free security tools is on the Security Development Lifecycle (SDL) Threat Modeling Tool.

For a quick backgrounder on threat modeling, let me recommend an article that my colleague, Michael Howard, recently published on threat modeling.  Michael describes threat modeling like this:

One of the most valuable and important SDL practices is threat modeling which is a systematic way to find design-level security and privacy weaknesses in a system. It also helps guide a designer or architect to determine the correct mitigation(s) to use to reduce the overall risk to a system and the data.

Threat modeling applies equally well to both development projects and design/implementation projects for existing software products. 

Threat modeling can help organizations minimize the potential cost and need to rework code while in development or in post-production support.  To help make threat modeling a little easier, Microsoft offers a free SDL Threat Modeling Tool that enables non-security subject matter experts to create and analyze threat models by:

  • Communicating about the security design of their systems
  • Analyzing those design for potential security issues using a proven methodology
  • Suggesting and managing mitigations for security issues

This tool builds on activities that all software developers and architects are familiar with–such as drawing pictures for their software architecture.  The SDL Threat Modeling Tool contains four main screens that walk users through the threat modeling process: 

Step 1 “Draw Diagram” – This screen is used to draw a data flow diagram of the software

Step 2 “Analyze Model” – The center for analysis of the model, where users use Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege (STRIDE) to find each threat and figure out how to mitigate it

Step 3 “Describe Environment” – Allows a user to track project information, such as dependencies

Step 4 “Generate Reports” – Brings out all the data that has been entered in a variety of useful forms

For a live demonstration of the tool, check out this short video:


Whether you and your organization use the SDL or not, this tool will still be useful to you because the concept of understanding threats to a networked system is critically important.

Threat modeling is not a one-time only process. It needs to be an iterative process that starts during the early phases of the development of your application and continues throughout the application lifecycle. There are two reasons for this. First, it is nearly impossible to identify all of the possible threats to your software in a single pass. Second, because applications are rarely static and need to be enhanced and adapted to suit changing business requirements, the threat modeling process should be repeated as your applications evolve.

If you are interested in learning more about threat modeling and the SDL Threat modeling Tool, I encourage you to check out these resources:

Tim Rains
Director, Trustworthy Computing