Tools used for threat modelling:
Microsoft’s Threat Modeling Tool:
- Focus: Identifies threats based on the STRIDE threat classification scheme.
- Diagram Type: Uses Data Flow Diagram (DFD).
My App Security:
- Tool: Offers Threat Modeler.
- Approach: Utilizes the VAST threat classification scheme.
- Diagram Type: Based on Process Flow Diagram (PFD).
IriuRisk:
- Versions: Offers both community and commercial versions.
- Use: Creates and maintains live threat models throughout the software development lifecycle (SDLC).
- Integration: Connects with tools like OWASP ZAP, BDD-Security for automation.
- Features: Customizable questionnaires and risk pattern libraries.
SecuriCAD:
- Type: Threat modeling and risk management tool.
- Method: Identifies and quantifies risks through automated attack simulations on current and future IT architectures.
- Editions: Available in both commercial and community editions.
SD Elements by Security Compass:
- Type: Software security requirements management platform.
- Capability: Includes automated threat modeling.
Modelling Attack Trees:
- Tools: Commercial tools like SecurITree, AttackTree+ and open-source tools like ADTool, SeaMonster.
- Purpose: Used to model attack trees, a visual representation of potential system vulnerabilities.
Tiramisu:
- Use: Follows the T-MAP approach.
- Functionality: Calculates attack paths and produces overall threats based on the total weight of attack paths.