The 2014 version includes new features such as improved STRIDE threat-generation logic. Threat modeling can help identify “design-level security and privacy weaknesses in systems,” wrote Trustworthy Computing’s Tim Raines. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.”Microsoft last released a free Security Development Lifecycle Threat Modeling Tool (TMT) in 2011, but has now announced the release of a new-and-improved free version for 2014. Rains highlighted new features such as a “big improvement” in threat-generation logic. Previously, TMT used STRIDE, or Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege, per element. TMT 2014 “uses STRIDE per interaction for threat generation.”For starters on this version, you no longer need Microsoft Visio to build data flow diagrams. To draw your threat model, select a tab from the Stencils pane on the right; your choices are Process, External (entities), (data) Store, (data) Flow and (trust) Boundary. After you right-click on the drawing surface, you can select options that drop circles, squares, or bendable lines into your diagram. “Messages” beneath your drawing describe any potential issues found as well as the severity of those errors and warnings.Microsoft’s Security Development Lifecycle Blog digs into the “fun stuff” and new features added to the tool. Threat generation logic is the biggest change to the latest release. According to the SDL blog, “Microsoft Threat Modeling Tool 2014 uses STRIDE categories and generates threats based on the interaction between elements. We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements. When in Analysis View, the tool will show the suggested threats for your data flow diagram in a simple grid.” Below is an example of the described “Analysis View.” Threat definitions are another change as this version includes the ability for users to customize and “extend the included threat definitions with ones of their own.” The 2014 tool comes “with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram,” explained SDL. But now customers “can add their own threats related to their specific domain.”Microsoft includes a “TMT Getting Started Guide” along with the free Microsoft Threat Modeling Tool 2014 download. The guide includes a walkthrough for creating new threat models, opening existing threat models, and converting threat models from previous version formats. There are detailed instructions and screenshots such as the one below explaining how to enter mitigation information for each threat identified. Go grab your copy of Microsoft Threat Modeling Tool 2014 now.Like this? Here’s more posts:Twice as many desktops still running Windows XP than Windows 8, 8.1 combinedIP address does not identify a person, judge tells copyright troll in BitTorrent caseForget physical access: Remote USB attacks can blue screen Windows serversWhen student recorded bullies with iPad, school claimed it was felony wiretappingSocial engineer tag teams to capture the flags at Def Con 22 contestRecord and rewind: Cops quietly test aerial surveillance to track crimeFake police warning leads to murder-suicide: Deaths due to ransomware?Windows 8.1. Update required for future Windows 8.1, Server 2012 R2 security patchesHow to change Windows 8.1 to local account with no Microsoft email account requiredWould you be on Project Insight kill list from ‘Captain America: The Winter Soldier’?Research: Attacks on HTML5-based apps infect smartphones, spread like a ‘worm’Researchers: Phone metadata surveillance reveals VERY personal info about callersFollow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe