Evaluating the effectiveness of Microsoft threat modeling tool

Today, it is widely accepted that software security best practices need to be integrated into all the stages of the software development life cycle (SDLC). This is because software applications are constantly being exposed to malicious attacks by hackers. One of the best practices for software security is threat modeling. It is essential for software security in the design stage of the SDLC and can help to reduce software design flaws significantly before the software application is implemented. The topics of threat modeling and the SDLC threat modeling tool were introduced to graduate students in a secure software engineering course. The effectiveness of Microsoft's Threat Modeling Tool was evaluated through a course assignment that included two parts: A) threat modeling using a manual process and B) threat modeling using Microsoft's 2014 threat modeling tool. This paper presents the results of the evaluation of the tool in assisting non-experts, students, in conducting an architectural risk analysis on a mock online shopping web application.

[1]  Ali E. Abdallah,et al.  Threat modeling approaches and tools for securing architectural designs of an e-banking application , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[2]  Qusay H. Mahmoud,et al.  Evaluation of static analysis tools for software security , 2014, 2014 10th International Conference on Innovations in Information Technology (IIT).

[3]  FrazerKen Building secure software , 2002 .

[4]  Inger Anne Tøndel,et al.  How can the developer benefit from security modeling? , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[5]  Michael Howard,et al.  Building More Secure Software with Improved Development Processes , 2004, IEEE Secur. Priv..

[6]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[7]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.