Recently, several requests have been made by members of the security community asking that MyAppSecurity provide a comparison between our product offering, ThreatModeler, the industry’s first automated, collaborative, scalable, and repeatable threat modeling solution, and Microsoft’s TMT, Microsoft threat modeling tool, which was released in April of 2014. Even though the methodologies and functional designs of each solution differ radically, we nonetheless decided to provide a comparison matrix to highlight the many disparities.
For reference, Microsoft threat modeling tool, Microsoft TMT is a replacement for its predecessor, Microsoft SDL (Secure Development Lifecycle), which was made available in August of 2011. For several years prior to the introduction of ThreatModeler, Microsoft’s public domain products were the most widely used threat modeling tools. Users of Microsoft TMT or SDL are required to create threat models using Data Flow Diagrams (DFDs) in order to represent applications and to perform threat modeling and as such, are limited to this approach.
According to PwC’s Global State of Information Security Survey 2014 executives are generally increasing security budgets to fund enhanced security activities and as a result, have substantially improved technology safeguards, processes, and strategies. But, even as budgets are increasing and confidence seems to be climbing, automated and freely available exploit tools are also on the rise, making what were previously considered complex attacks relatively simple.
This ongoing maturation of the marketplace helps explain why the practice of threat modeling is rapidly gaining momentum and why developing secure applications from the ground up is now being viewed as a “have to have” versus a “nice-to-have.” Integrating security into the SDLC not only reduces the time and costs linked to fixing production vulnerabilities, but also minimizes application risk exposure enterprise-wide.
In short, the comparison that follows is intended to provide security professionals with an objective analysis between Microsoft TMT Microsoft threat modeling tool and ThreatModeler.
Assessment Criteria – Microsoft threat modeling tool vs Threatmodeler
To compare the tools, the criteria used were functionality, collaboration, reporting, and other features of both products. We not only performed our own comparison, but we also had an independent source provide us with their findings, which have been incorporated below.
List of Criteria used to Compare MS-TMT with ThreatModeler:
|Component Based Design||Ability to build a threat model based on the components (web services, database services, ports and protocols, etc.)|
|Ability to automatically generate reports that identify threats and their current status.|
|Built-in Threat Library||Pre-developed repository of common threats based on industry standards and best security practices.|
|Customizable Threat Library||Ability to add industry or organization-specific threats into the threat library.|
|Threat Management Dashboard||Dashboard that provides an at-a-glance current status of identified threats.|
|Customizable Data Elements, Widgets, Protocols, etc.||Ability to customize components according to enterprise application architecture.|
|Threat Library Updates||The frequency for updating threat libraries update with the latest threat data.|
|Web-based, Accessible by Browser||Ability for users to access the tool.|
|Enterprise Level Scalability||Ability to build and maintain 100s or even 1000s of enterprise-wide applications that reside on different infrastructure stacks.|
|Real-time Collaboration||Ability for multiple stakeholders to access the tool and make changes at the same time, and in real time.|
|Role Based Access Control for Different Stakeholders||Ability to assign access and permissions based on assigned roles and responsibilities.|
|Integration Add-ons and APIs||Ability to provide bi-directional integration with other tools, technologies, and applications.|
|Actionable Output||Ability to provide specific guidelines for different stakeholders.|
|Re-usability and Repeatability||Ability to embed or reuse application threat model components for similar or related threat models, as well as the ability to
interrelate individual threat models with an overarching threat model.
|Organization-wide Security Policy Enforcement||Ability to use a centralized library to link threats to application components enterprise-wide and to be able to apply new threats to
all existing threat models automatically.
|Mapping Threats to Security Controls||Ability to define specific security controls and automatically correlates them with specific threats.|
|Secure Coding Guidelines||Ability to provide developers with the most relevant secure coding mitigation steps for each threat model component.|
|Network Component Hardening Guidelines||Ability to automatically provide hardening guidelines to secure different network components.|
|Threat Comparison and Trend Analysis||Ability to view trends across multiple releases of the same application or compare trends across multiple applications.|
|Technical Support||Product support for operational or functional assistance.|
|Time/Resources Needed to Build a Threat Model||Average time for one person to build a threat model for a mid-sized application.|
|Platform Independence||Ability for users to access the tool across all platforms.|
MS – TMT
|Component Based Design||Yes||Yes|
|Built-in Threat Library||Yes||Yes|
|Customizable Threat Library||Yes||Yes|
|Threat Management Dashboard||Yes||Yes|
|Customizable Data Elements, Widgets, Protocols, etc.||Limited||Yes|
|Threat Library Updates||Limited||Quarterly|
|Web-based, Accessible by Browser||No||Yes|
|Enterprise Level Scalability||No||Yes|
|Role Based Access Control for Different Stakeholders||No||Yes|
|Integration Add-ons and APIs||No||Yes|
|Re-usability and Repeatability||No||Yes|
|Organization-wide Security Policy Enforcement||No||Yes|
|Mapping Threats to Security Controls||No||Yes|
|Secure Coding Guidelines||No||Yes|
|Network Component Hardening Guidelines||No||Yes|
|Threat Comparison and Trend Analysis||No||Yes|
|Time/Resources Needed to Build a Threat Model*||100 – 120 hours||16 – 24 hours|
|Platform Independence||No (Windows-based)||Yes (Web-based)|