I just posted a blog entry on the main drivers behind CTL in TAM v3.0. You can check it out at IST blog site. http://blogs.msdn.com/securitytools/archive/2009/07/30/security-guidance-and-threat-modeling.aspx Thanks RV

I am excited to say that Threat Analysis and Modeling (TAM) 3.0 Beta is now live on download center. You can download it from here . As this is a beta build we have set up a Connect site that enable you to submit bugs and feature requests.  You will...

Last time we briefly talked about releasing TAM v3.0 this year. With each week we’re inching closer to that goal. TAM v3.0 release is focused on 3 main areas of the tool including: threat modeling methodology gathering application architecture...

Been a little quiet lately on TAM related news but head over to Channel9 to hear RV talk about what's upcoming for TAM 3.0 . -Talhah

My colleague Mark Curphey made available a chapter he wrote for a recently released security book . I had a chance to read his chapter and it’s an absolutely fantastic read with some great thoughts! It’s a must read even if you have even a passing interest...

Tax Season! I came across a scenario that I wanted to share… Scenario : You have some tax application that, let’s say, we’ll call OnlineTaxApp. You also have your online banking site where you manage your finances/investments/etc. called OnlineBankingSite...

Very excited to announce that the SDL folks have released v3.1.4 of the SDL Threat Modeling Tool , as the latest and greatest release to apply the DFDs and STRIDE per Element approach to threat modeling. It's a free download, so why not check it out?...

Continuing our work to share the tools and techniques we use internally to maintain a secure application portfolio, we today announced the release of CAT.NET CTP and the next version of Anti-XSS . Irfan (Director of ACE) posted a nice entry on the...

We're really excited that our colleagues over in the SDL team have released a beta of their threat modeling tool , as one of several SDL-related announcements . As threat modeling matures as a discipline, there's no single 'right' way to do it. Both...

Even though this blog’s focus has always been the ACE Threat Modeling tool and methodology which is aligned to our SDL-IT process we use for line-of-business application in Microsoft, there is another security team in Microsoft dedicated to SDL . And...

Great post by my friend and colleague around threat modeling in a series he's doing on application security lifecycle. http://blogs.msdn.com/akshay_aggarwal/archive/2008/06/11/application-security-development-lifecycle-5a-is-threat-modeling-right-for...

Threat Modeling is one those ‘sciences’ that is just now starting to gel into something that can be implemented in a semi-automated fashion.  With TAM /e, we have a good approach to threat modeling that is both easy on the development...

Threat Modeling is no longer the obscure magic is used to be. With the creation of tools like the Threat Analysis and Modeling tool from the ACE Team, Threat Modeling is now easier to implement, faster and more comprehensive. Threat Modeling  is...

An awesome site to check out which also includes virtual labs you can leverage for secure coding! Check it out: www.hellosecureworld.com -Talhah

One of the most frequent questions we get is that someone is using a technology that is not listed in the “Technology” drop downs and how can they customize it. Most of the dropdowns are part of the metadata system in the tool and are stored in an XML...

Raffaele Rialdi, a Microsoft Developer Security MVP, sits down with Lori Grosland at TechEd ATE in Barcelona 2007 and talks about security and the Threat Analysis & Modeling tool (with demo). http://www.virtualteched.com/pages/videossearch.aspx...

IEEE paper on the TAM tool. "Ford Motor Company is currently introducing threat modeling on strategically important IT applications and business processes. The objective is to support close collaboration between IT Security & Controls (the ITS...

There is a discussion I had recently with a few folks over email around threat modeling that I thought would be nice to share on this blog. I’ll reduce the discussion down to 3 questions/responses. Question : Where does the line between Threat Modeling...

Mark Curphey (newest member of ACE) recently did a post on a set of tools we have in our portfolio that we're starting to take out to our customers (including TAMe). Read more here . -Talhah

I've talked about threat modeling being one part of the overall information security puzzle... there are other controls and tools you need to make the process run smoothly. Our team recently released another of these tools called XSSDetect which helps...

A common challenge for folks looking at threat modeling as a control to potentially help them secure their software is setting the correct expectations. So what exactly can threat modeling do for you? In order to answer this question, I think it’s important...

Threat profile is a very interesting concept that identifies the complete set of threats in a given application context. The Threat Analysis and Modeling (TAM) tool generates a threat profile using an inclusive methodology; in other words, it uses the...

How can I get a great and secure product without killing myself? This is not just a question for how-to diet magazines; it’s a legitimate business problem. I teach the ACE Threat Modeling class (First Wednesday of every month!), and that is the question...

In the past we have been relying on the web browser to provide/restrict the user interface for interacting with applications on the Internet. As security teams slowly work to fix the usual SQL Injection, XSS, Input validation attacks there is a whole...

I recently did a TechNet webcast to talk about how Microsoft IT Manages Security Knowledge for Better Application Risk Management and in it had a chance to demo a near release build of TAM Enterprise. Check it out: http://msevents.microsoft.com/CUI...