In one of the previous posts to the Threats Manager site, Next Steps, I announced an initiative to add various crucial parts that were still missing from the site:

  • Templates you can use.
  • Examples of Threat Models.
  • Word Templates you can use to generate your own reports.
  • Guidance on how to create your own Templates.

I am happy to announce that this material is starting to be available, now.

You can find a first template in Templates, dedicated to a few Azure DevOps Core services:

  • API Management
  • Application Gateway
  • Azure Function
  • Web APIs
  • Web Application
  • Azure Key Vault
  • Azure SQL
  • Azure Storage
  • Cosmos DB

That’s not much, but it already provides a good example of what a Template looks like. In fact, it is accompanied by three very characteristic files: first of all, the Threat Model in TM format that has been used to generate the Template. That Threat Model is particularly interesting, because it contains an example of Threat Model of a reference architecture, therefore it can be used also as an Example. Another typical deliverable generated by TMS is the Word Report, and you have both the Reference Word File used to generate the Report itself, as the Report. And talking about the Report, I’ve also published a first template for you to use with your own Threat Models: please refer to the guidance in the Learning section to understand how to use it.

You can find all the said material in a new page specifically dedicated to publishing the Templates, including the Word Template. This section is not only intended to contain the material produced by me: you can contribute your own templates! Just go to the Template Upload page, and send a message with your material.

Analogously, I’ve added a page for downloading Examples. And again, you can send your own examples to be published as well, using the Example Upload page.

The documentation has also been extended. I have added two pages, respectively on Templates Creation and Property Schemas. Those represent very important topics when you need to create templates like the one I just published.

And as a bonus, I have added the page on the Overview Dashboard, which was missing when I published my post on Threat Modeling vNext.

This is not the end for Templates: a lot needs to be covered still. Azure itself has just been barely touched, and a lot more needs to be covered. But now, you can get some ideas about what could be done with TMS.

Stay tuned. A lot is going to happen in the upcoming months!

I have been a Consultant with Microsoft for 15 years and so. As such, I have gained strong competencies around Software Architectures and Methodologies with a focus on Microsoft technologies. I have been working for Microsoft in the Consultancy department since January 2000 mainly for Customers in the Financial sector. Now I am a Senior Premier Field Engineer on Security. In this role I am helping customers in adopting Microsoft Security Products, Technologies and Methodologies. Application Security is one of my main area of interests, even before joining Microsoft: the very reason why I have been hired by Microsoft are a set of articles I have written on Security and specifically on Cryptography between years 1998 and 1999. I am now a member of the Microsoft InfoSecurity Force European Team. As a Microsoft Employee, I have assumed the roles of Developer, Lead Developer, Architect and Microsoft Development Technologies expert. This has allowed me to work for important Banks and Financial Institutions like Intesa SanPaolo, Deutsche Bank, Monte dei Paschi di Siena and Unicredit, and also for P.A. Organizations like INPS, the largest social security and welfare institute in Italy and one of the most important on a European level. The gained experience can be applied to many contexts, not only on Financial Businesses, because it has been mainly focused around technology and soft abilities, like interpersonal awareness and interaction with different people and different organizations. On May 2016 I have assumed the role of Co-Lead of the Worldwide Microsoft Technical Community for the Security Development Lifecycle.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: