Microsoft to release threat-modeling tool
By Joris Evers
IDG News Service, San Francisco Bureau

LOS ANGELES - Microsoft Corp. plans to publicly release a threat modeling tool it uses internally to help software developers create more secure software, the company said Thursday.
The tool can display threats in a diagram after information such as usage scenarios and the environment in which the application will run is entered, Michael Howard, senior program manager for security engineering and communications at Microsoft, said in a presentation at the vendor's Professional Developers Conference (PDC) in Los Angeles.

The Redmond, Washington, software maker appears to be making a practice of publicly releasing tools it uses in house. The company is also releasing Prefix, which features a toolkit to analyze source text for common errors, and Prefast, an analysis tool for source text.

Yet another tool, FxCop, was distributed to PDC attendees and is available for download. FxCop was originally meant to enforce software design rules but is now used to analyze code for security problems, Microsoft officials said.

Thor Larholm, a senior researcher with security research company Pivx Solutions LLC, in Newport Beach, California, applauded Microsoft's move to share the tools it uses to develop software but said tools alone are not enough.

"The tools they are releasing sound like good starting points to get a high-level view of the threats to your application. However, in the end it all comes down to how you deal with those threats," he said. "It will be interesting to see how well Microsoft's internal security developer tools apply to the outside world."

Microsoft used the threat modeling tool itself. For example, the company's decision to ship Windows Server 2003 with a locked-down Internet Explorer Web browser was made based on threat modeling, Howard said. "We reduced the attack surface based on the threat models," he said.

"Threat modeling is so important. You cannot build secure software unless you understand your threats," Howard said.

And Microsoft's security approach for Windows Server 2003 has proved successful, Mike Nash, corporate vice president at Microsoft's Security Business Unit, said in a presentation Thursday morning. "Our goal was to cut vulnerabilities in half; we've exceeded our goal," he said.

There have been six vulnerabilities deemed "important" or "critical" for Windows Server 2003 since its release last April against 21 vulnerabilities in the same period of time after the Windows 2000 Server release, according to Nash.

The threat modeling tool is being prepared for external release and should be available to developers "soon" on Microsoft's GotDotNet online community for developers, at Howard said.