Microsoft Threat Analysis & Modeling (TAME, cause I put an “Enterprise” on the end) tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

  • Data access control matrix
  • Component access control matrix
  • Subject-object matrix
  • Data Flow
  • Call Flow
  • Trust Flow
  • Attack Surface
  • Focused reports

Think of it as a BPA for security in your org. Or, think of it as a blind-spot detector – are you sure that you have considered all attacks and risks?

I mentioned it was free-as-in-beer right? Did I mention that it is based on the fine work of Microsoft IT?

You can download an intro video: What is Microsoft Application Threat Modeling

image

Microsoft Threat Analysis & Modeling v2.1.2 : http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451