Microsoft Threat Analysis & Modeling (TAME, cause I put an “Enterprise” on the end) tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:
- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports
Think of it as a BPA for security in your org. Or, think of it as a blind-spot detector – are you sure that you have considered all attacks and risks?
I mentioned it was free-as-in-beer right? Did I mention that it is based on the fine work of Microsoft IT?
You can download an intro video: What is Microsoft Application Threat Modeling
Microsoft Threat Analysis & Modeling v2.1.2 : http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451