You will be encountering scenarios where a threat model was created using some version of template. Later on a security team/PM or other teams in the group may create a refined template which covers more security cases. You might want to upgrade your previous threat models to this new template so that if there are more security issues, you can identify them. The apply template feature applies a new template to an existing threat model.
1. Click on Open A Model on home page
1. Go to File -> Apply Template
Figure 23 Apply Template
Select the template which you want to apply to upgrade threat model to
Select Yes on the Confirmation Dialog box and also make a choice to delete the stale threats or keep them
Figure 24 Confirmation Dialog for Upgrade
Save upgraded Threat Model using File -> Save/Save As or Ctrl + S
Analysis of Threat Modeling Tool Output
The Analysis view allows you to analyze the threats generated for your diagram, identify which threats are not applicable, require investigation, require mitigation, or have been mitigated and verified. For models that have multiple diagrams, the threat list displayed is global and includes threat entries for all diagrams.
After a model is drawn, you will be presented with a list of threats. You’ll find the list of threats organized in a grid that shows for each threat:
Threat (STRIDE) Category
Each threat will have a Description field, which will have content for every auto-generated threat and a Justification field in which mitigation information can be entered by the user.
For newly generated threat models, the setting for auto-generation threat mode is enabled by default. For migrated threat models created with Threat Modeling Tool 3.1.8, the auto-generation threat mode is set to off. To turn it on go to Settings and select Enable Threat Generation. Each threat will have options that enable you to manage the identified threats. By default, the state of all newly generated threats is Not Started.
Default state for newly generated threat
Mitigation implemented and verified
Mark threat as needs mitigation
Mark threat as not applicable
Threats are generated using STRIDE per interaction. An interaction is defined by two elements connected by a data flow, and may include a boundary. If an element is marked Out of Scope threats will still be auto-generated for that interaction but the element itself will have visual feedback that is marked Out of Scope. You can also add a user-defined or custom threat by right-clicking on the desired data flow in the interaction and selecting Add User-defined Threat. When you do so you’ll find your custom threat at the end of the existing threat list. Threat priority is by default set to High. As applicable, it can be changed to Medium or Low.
Threat List Filter
Threat List Filters are available on selected columns. All the columns where threat filter is possible, filter icon is displayed. Clicking on this filter button will show available options for threat filtering e.g. clicking on filter button against Category button displays options as shown in below screen
Figure 25 Threat List Filter
How to File Bugs on your Threat Modeling Tool Security Issues
You may want to track the security issues found by Threat Modeling Tool in your team’s work item tracking tool (i.e. TFS or VSOnline).
To create a bug from Analysis view:
1. Select a threat to create a bug for.
1. Right-click the threat and select Copy threat(s).
Figure 26 Copying a Threat
Your threat information is copied to the clipboard in the following format:
THREAT: Spoofing of Destination Data Store Generic Data Store
DIAGRAM: Diagram 1
INTERACTION: Generic Data Flow
STATE: Not Started
DESCRIPTION: Generic Data Store may be spoofed by an attacker and this may lead to data being written to the attacker’s target instead of Generic Data Store. Consider using a standard authentication mechanism to identify the destination data store.
You can now paste the copied information in a bug tracking system of your choice.
NOTE: You can select all threats in your list to be copied to the clipboard by pressing CTRL+A then and right-clicking Copy Threat(s).
Select Copy Custom Threat Table to use the clipboard content to paste into Microsoft Excel and then bulk-import into a bug tracking system of your choice. You can do so for a single threat or all of them by selecting all entries using CTRL+A.