Threat is a generic term to indicate a potential attack to the solution.

There are two types of Threats:

  • Threat Types represent abstract attacks. They are abstract because they are not associated with any part of the solution, nor to the solution as a whole. In other words, Threat Types act very much like templates. An example of Threat Type may be: “The request may be intercepted by a man in the middle and its content may be disclosed”.
  • Threat Events are applied to Threat Types. Each Threat Event is essentially derived from a Threat Event and associated with an Entity, a Flow, or to the entire solution. The previous example applied to a Flow between a User and a Front-End Web Application would be: “The request sent from the User to the Front-End Web Application may be intercepted by a man in the middle and its content may be disclosed”.

Both Threat Types and Threat Events are characterized by its Severity, which indicates the relative importance.

Tips & Tricks
It is not uncommon to evaluate the Severity as a combination of Probability and Impact. Still, the design choice for Threats Manager Studio (TMS) has been to express directly the Severity, not its components. Both approaches have similar characteristics and weaknesses because they are qualitative, and as such, they are subject to bias. That said, the direct selection of the Severity seems slightly better because it requires less effort and does not give the false feeling of being more precise.

Severity can typically be set to one of the following values:

  • Critical, which should be used for extremely important issues, impacting the main functionality and very sensitive data, and for which there is no mitigation in place.
    Critical issues should be considered reason enough for stopping the deployment of the solution in Production.
    Bottom line: use them sparingly.
  • High Severity Threats are important issues, impacting the main functionality and sensitive data, for which there is a partially effective mitigation.
    If you have one or more of them, you should consider forcing the adoption of some additional mitigation before allowing the deployment of the solution.
    Bottom line: they are less severe than Critical ones, but still very important and you need to take them very seriously.
  • Medium Severity would be used for Threats impacting main functionalities and sensitive data, when there is some mitigation in place, or for secondary functionalities and not particularly sensitive data, when there is no mitigation.
    While one or two of those may not be considered as blocking for going in Production, many of them would represent a risk big enough to warrant preventing the solution to be deployed in Production.
    Bottom line: do not neglect attention to Medium Severity issues.
  • Low Severity issues are typically associated to secondary functionalities and non-sensitive data, or when you already have mitigations in place.
    Typically, Low Severity issues are not considered as blocking.
    Bottom line: you cannot zero the risk. You have to accept some, and Low Severity issues are the best candidates for acceptance.
  • Info level issues do not represent a risk at all: they are there to represent situations where the risk could be considered negligible.
    Bottom line: they can be safely neglected.

Tips & Tricks
In TMS, the Severity for Threat Events represents the Residual Risk. In other words, you should evaluate it considering all the existing and implemented mitigations, but not what has been planned or is under development.

Threats can also be categorized in multiple ways. A commonly used approach in Microsoft is the so-called STRIDE, from the initials of the six categories it defines.

CategoryDesired PropertyDefinition
SpoofingAuthenticationImpersonating something or someone else
TamperingIntegrityUnwarranted modification of code or data
RepudiationNon RepudiationThe ability to claim to have not performed some action against the solution
Information DisclosureConfidentialityExposure of information to unauthorized users
Denial of ServiceAvailabilityThe ability to deny or degrade a service to legitimate users
Elevation of PrivilegeAuthorizationThe ability of a user to elevate her or his privileges with an application without authorization.
The STRIDE categories.

Tips & Tricks
TMS does not adopt any categorization of Threats. This is an intentional design choice, to give the greatest freedom to the user. In fact, you can define your metadata including a Threat categorization model, using Property Schemas.

Threat Types

Threat Types can be edited from the Threat Type List, in the View ribbon.

The View ribbon.

To create a new Threat Type, open the Threat Type List, then click the Add Threat Type: this will open a dialog where you will be asked to insert the name of the Threat Type, optionally a description and its standard Severity.

The Standard Severity will be used as a reference for new Threat Events.

It is possible to create new Threat Types from diagrams, by clicking the New Threat Type button in the Diagram ribbon.

The Diagram ribbon.

It is also possible to create new Threat Types as part of the creation of new Threat Events.

Threat Events

Threat Events can be edited from the Threat Event List in the Home ribbon.

The Home ribbon.

To create a new Threat Event, select an existing Entity or Flow from a diagram or from the respective List in the Home ribbon, then locate the list of the Threat Events associated to the selected object in the Item Editor, click the Add button and select an existing Threat Type or the details of the new Threat Type in the Select Threat Type dialog. This will create the Threat Event associated with the selected object.

Adding a new Threat Event from the Item Editor.

After having created a new Threat Event, you may want to change its Severity from the default one coming from the Threat Type. To do that, you need to double click on it in the list in the Item Editor: this will open a dialog with all the details of the Threat Event.

Another way to create a Threat Event out of an existing Threat Type, is to use the Threat Type Stencil within the diagrams, to drag & drop the selected Threat Type on the Entity or Flow that is intended to receive it.

Creating a Threat Event from the Threat Type Stencil.

Mitigation Status

The picture above shows also what happens when you associate a Threat Event to an Entity or a Flow: in the diagram, it is decorated with a small circle which is initially red. If you click on the circle, the list of the assigned Threat Events is shown: you can then click on each one of them to select it in the Item Editor and work on it, or use the right button of the mouse to get access to more advanced actions on the selected Threat Event.

The circle represents the Mitigation Status. The circle on the Entity or Flow, represents the overall Mitigation Status for all the Threat Events associated to the object:

  • If red, it means that no Threat Event have any Mitigation assigned.
  • If orange, it indicates that at least a Threat Event has one Mitigation assigned or more, but that not all Threat Events have enough Mitigations to be considered fully mitigated.
  • If green, it indicates that all associated Threat Events have enough mitigations.

Analogously, the icon on the Threat Event in the list, like the small cube shown above for “Some Threat Type”, indicates the specific Mitigation Status for that Threat Event.

An example of Mitigation Status.

If we consider the example above, we can see that the overall Mitigation Status associated to the selected External Interactor is orange, which means that at least some Threat Event has some associated Mitigation. If you click on the circle, as I did above, the list of Threat Events will open, and you will be able to see that Threat 2 is fully mitigated, while Threat 1 has some mitigation, but not enough to be considered done.

Tips & Tricks
If the circles in the diagram confuse you and you do not see much value in them, you can toggle them off by using the Toggle Markers button in the Diagram ribbon. This choice is not persisted but should be selected every time you work with a diagram.

Global Threat Events

You can create a Threat Event also for the Threat Model: in this case, the Threat Event will be global. You can do that from the Threat Model Properties, which is accessible from the Home ribbon, or from the Threat Type List, with command Create Global Threat Event from the context menu.

Create Global Threat Event.

The Threat Event List

The Threat Event List in the Home ribbon is also useful to get a comprehensive view of all the Threat Events defined in the Threat Model.

The Home ribbon.