My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Tuesday, June 29, 2004
« Web Services Interoperability & Tools | Main | SecurityDocs - Directory of Security Whi... »

Per fes:

We've posted an updated Threat Modeling Tool at MSDN that addresses a few bugs. 

Thanks to BobB for his assistance.  Basically, this addresses several unhandled exceptions that resulted in the tool crashing at some rather inconvenient times.  (Okay, not that there are convenient times for a tool to crash.)

Some notes on the tool:

  • We released it mostly because it is a useful way of organizing the data collected during threat modeling.  Since it is not formally supported externally, I (and a few other contributors) fix bugs and add features also informally.  So I'm hoping not to get a barrage of bug reports, but I will do my best to find time to address serious issues.
  • Note that it works best (DFD-wise) if you have Visio 11 installed.  Visio 11 has a drawing control that you can embed in other applications (which is exactly what the TM tool does).  This is a much easier way of integrating DFDs in to the threat model.
  • If you want to print from the tool, the best way to do it is to use the Preview button.  This applies the default XSLT (configurable in Tools->Config) to the threat model and displays it in an IE control.  You can right-click in this control and select print to print directly.
  • The threat model document, if you haven't taken a look, is XML.  (Visio diagrams are stored in BASE64 blobs, though, and not in their XML format.)  So, you can customize the report format if you like playing with XSLTs.  The XSLTs that come with it are fairly basic, but show some ways of presenting the document.
  • The sample document for the tool is in the tool's install directory, and is for “Fabrikam Phone 1.0.”  This is basically the same as one of the samples in the threat modeling book (  Note that the DFDs are in Visio, so you won't see them if you don't have it installed.  The sample is intended to show threat modeling concepts without being specific to any software type or technology.

Not sure, but I think the above post is from Frank Swiderski, who happens to be the primary creator of the tool and the author of the Threat Modeling book. If it is him, his blog can be found @
Tags:: Security
6/29/2004 10:33 PM Eastern Daylight Time  |  Comments [1]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:44 AM (Eastern Daylight Time, UTC-04:00)
Sergey Simakov blog
Comments are closed.