Thank you for all the interest on Threats Manager Studio (TMS)! I’ve already received a lot of comments, both from colleagues working at Company and employed by other Organizations. Thank you!

As I wrote in my previous post, publishing TMS has not represented the end of the work. I’m very well aware that you miss some important pieces, and that I need to provide them before you can really think about adopting TMS. This is the reason for my post: to let you know that you are going to get them very soon.

My most immediate goal is to provide you with the necessary elements to create your own Threat Models. In fact, if you have installed TMS, you may have noticed that it’s very bare: it has a lot of functions, but no knowledge base you can use out of the box to get some results fast, and guide you if you are not exactly an expert. You even have an Extension to automatically generate Threats and assign Mitigations, but no rules already defined!

I’m happy to announce that I’m working on a first template focused on a few core Azure PaaS services. You will be able to use it for your own Threat Models and as a reference on how to create your own templates. The reason why I cannot simply publish those I use for my day-by-day work, is that I do not own them and I’m not authorized to share them.

With this new template on the core Azure PaaS services, you will also get a Word Template you can use to generate documentation for your Threat Models. If you are interested in adapting an existing document you use in your organization as a template for generating documentation with TMS, you can already learn how in the Learning section.

Talking about documentation and templates, this site already provides some guidance on how to consume specialized knowledgebases. What you miss is the documentation on how to create them: this is also going to be addressed very soon.

Another priority for me is to provide examples of Threat Models: the first one will be a reference architecture based on the same core Azure PaaS services covered with the first template. Other examples will be provided at a later stage.

If TMS is already a mature tool and has been successfully adopted by many, it is thanks to all the feedbacks received. Without them, it would simply have been yet another design tool for Threat Models. Your feedback is essential, as it is to get your contributions. For this reason, with the publishing of the first template, I am going to open up the possibility to provide your own Templates and Examples, for the community to use. If you interested in contributing, you can start by reading the License: it already states what your rights will be as a contributor.

From the perspective of the TMS tool, I can anticipate that the next version will be focused on bug fixing and implementation of some minor features. This will allow to publish a new version in a couple of weeks from now. I’m already receiving some telemetry about bugs, but fortunately nothing serious so far: in any case don’t worry, they will be fixed soon.

After the upcoming version, you will get a new Extension Library: I am working on a functionality to synchronize the Roadmap with Azure DevOps. This idea is to extend that at a later stage, to support also Jira and GitHub.

This is just the start! Be sure to keep an eye on threatsmanager.com to get the new goodies as they are available!

I have been a Consultant with Microsoft for 15 years and so. As such, I have gained strong competencies around Software Architectures and Methodologies with a focus on Microsoft technologies. I have been working for Microsoft in the Consultancy department since January 2000 mainly for Customers in the Financial sector. Now I am a Senior Premier Field Engineer on Security. In this role I am helping customers in adopting Microsoft Security Products, Technologies and Methodologies. Application Security is one of my main area of interests, even before joining Microsoft: the very reason why I have been hired by Microsoft are a set of articles I have written on Security and specifically on Cryptography between years 1998 and 1999. I am now a member of the Microsoft InfoSecurity Force European Team. As a Microsoft Employee, I have assumed the roles of Developer, Lead Developer, Architect and Microsoft Development Technologies expert. This has allowed me to work for important Banks and Financial Institutions like Intesa SanPaolo, Deutsche Bank, Monte dei Paschi di Siena and Unicredit, and also for P.A. Organizations like INPS, the largest social security and welfare institute in Italy and one of the most important on a European level. The gained experience can be applied to many contexts, not only on Financial Businesses, because it has been mainly focused around technology and soft abilities, like interpersonal awareness and interaction with different people and different organizations. On May 2016 I have assumed the role of Co-Lead of the Worldwide Microsoft Technical Community for the Security Development Lifecycle.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: