Threat Analysis
Learn how to secure your applications against hacker attacks with Microsoft's freely downloadable Threat Analysis and Modeling tool.
Even a single security hole in an otherwise bullet-proof application can potentially wreak embarrassing and costly chaos in the hands of the wrong person. To create a completely secure application, every member of every object in the application must be carefully analyzed to determine every conceivable way each member could be invoked. Doing a thorough job of this requires analysis of other many application details such as the data, user roles, technology choices, use cases, and external dependencies. This analysis should be done in the design phase for optimal efficiency, because security threats found and dealt with in the design phase are far easier and cheaper to fix. Additionally, all these details must be thoroughly reviewed every time any design detail changes. For all but the simplest of applications, manually mapping out the seemingly infinite combinations of all the above details for every member in an application is a foreboding task indeed. That's why this time consuming, error prone, and potentially budget busting task is rarely done properly in the real world. If only there were a way to simplify this chore...
The Threat Analysis and Modeling Tool
Microsoft's freely downloadable
Threat Analysis and Modeling Tool aims to
simplify the process of identifying potential security holes in your
applications before hackers do. You can enter a pre-existing application's
design details into the tool to see what sort of security issues may have
slipped into it, but this tool really shines when used in the design phase of
new applications. In fact, the Threat Analysis and Modeling Tool (shown in
Figure 1) is robust enough that you may consider using it as your primary design
tool for all new applications.
Figure 1: Microsoft's free Threat Analysis and Modeling Tool can help you identify security holes in your applications.
To use the Threat Analysis and Modeling Tool you must first describe the application you're modeling. Details must be provided about its data, components, user roles, and external dependencies. Business objectives and use cases are also necessities. If you're not experienced with use cases, you may wish to take advantage of the Generate Use Cases menu option (under the Tools dropdown menu) to automatically create some useful boilerplate use cases that are based on your application's design.
The treeview in the left pane of the Threat Analysis and Modeling Tool has nodes for every category application design details of relevant data about your application's design. Getting started is as easy as clicking on some of the treeview nodes and entering the related data. The more thorough you are about your data entry, the more secure your application will be in the end.
Since exceptionally large applications can be cumbersome to design within a single threat model document, they are often broken down into several smaller threat model documents, each describing distinct parts of the application. In this situation, each of the project's threat model documents should reference each other by listing the other components as external dependencies.
The bottom node of the treeview (Attack Library) lists virtually every known hacker attack as well as best-practice defenses against each of them. Unlike the rest of the nodes in the treeview, this one does not apply directly to your application. Instead, this is a list of all known attacks whether they apply to your application or not. Browsing this list is a great way to learn about common hacker exploits and how to write code that is immune to them.
Identifying Threats
Once your application's design details have been entered into the tool, there are a variety of analytical options available to visualize your application from different perspectives and identify the threats specific to it. For example, the Data Access Control Matrix window (available from the Analytics dropdown menu) points out aspects of your application's design that haven't been fully thought out and/or documented yet. This is useful to ensure you don't accidentally leave design holes through which bugs or hackers may creep.
Figure 2: The built in Data Access Control Matrix alerts you about possible holes in your application's design.
Additionally, the Threat Analysis and Modeling Tool provides many impressive reports and diagrams that document your application's design. These can be exported to Visio as well as other file formats. You don't have to tell your boss they were automatically generated.
The Generate Threats menu option (available from the Tools dropdown menu) will list every security vulnerability found in your application. It will tell you exactly where in your design each threat exists. It also provides a variety of best-practice suggestions for dealing with each one. Similarly, the Threat Tree diagram shown in Figure 3 (available from the Visualizations dropdown menu) identifies potential threats in a more graphical way.
Figure 3: Nearly every possible security threat to your application is identified in a variety of graphical and tabular ways.
You're Not Alone
Considering all the complex and impressive features the Threat Analysis and
Modeling Tool provides, it is surprisingly easy to use. For a jumpstart, you may
wish to watch some of the many
helpful tutorial videos that are
available from the
Application Threat Modeling web site. You
may also wish to pay a visit to the
threat modeling
team's blog to stay up-to-date on the latest info. You can rely on this
tool's longevity since Microsoft is increasingly using it to secure all the
applications they write. Any new exploits discovered in future technologies will
be integrated into this tool.
Conclusion
Microsoft's free Threat Analysis and Modeling Tool finally makes it feasible for developers to do a detailed security analysis of all their applications. Without such a tool, it's virtually impossible to be sure you've built a secure application.
With this tool at your disposal you no longer have an excuse for writing insecure applications.
References