I’ve been using Microsoft’s Threat Analysis and Modeling (TAM) tool for about a year now, and I’ve gotten to really love how much easier and user-friendly this tool is than anything else I’ve found so far on the ‘net. I’ve tried to find anything that was as comprehensive, easy for beginners, flexible and extensible as TAM is (let alone free), and there’s nothing else that even comes close. Anytime I’m asked now to do any Threat Modeling for a product or technology, the only tool I would seriously consider is TAM.
That said, the more I work with it, I’m finding there are enhancements I’d like to make, or things I’d like to better understand:
- What are the key steps that I should never skip?
- What tools are useful for generating additional XSLT Report templates?
- How does TAM merge overlapping content when importing Attack Libraries?
- What extensibility classes are available for .NET-friendly developers to add to this tool?
- What’s a reasonable number of Components or Attacks to include in any one threat model?
I’ve worked with the TAM team at Microsoft to get some ideas on this, but they’re pretty much working flat-out on the Security Assessments for which they built this tool in the first place. I’ve scoured their old blog entries (here, here and here) to glean tidbits, but I’d really like to work with more folks who are also using this – share what I’ve learned and get their input and ideas as well.
I’d hoped that Microsoft would have a Community forum for this great tool, but since they don’t, I’ve taken the bull by the horns and created one myself. You can find it here on the Google Groups site. Yes, Google. Horrors!
I’ve tried to use MSN Spaces in the past as a collaboration workspace, but I’ve found Google Groups and Yahoo Groups are both better platforms for this sort of thing. They give you more control, with less futzing around trying to make things “look right”, and they’re investing significant effort into these platforms. Frankly, I’m a lazy guy at heart, and it was really freakin’ easy to setup the Google Group. Sue me.
Call to Action: if you’re using Microsoft’s TAM tool already, or you know someone who’s responsible for things like “Secure Coding”, “Risk Assessments” or “Threat Modeling”, I’d encourage them to check out the Group, post some sample Files, start some Discussions or even just lurk for good ideas!