In order to help development teams find security vulnerabilities and determine risks less expensively, Microsoft has updated its free Security Development Lifecycle (SDL) Threat Modeling Tool.

“More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,” wrote Tim Rains, director of Microsoft’s Trustworthy Computing group, on the SDL blog. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes.”

The Threat Modeling Tool 2014 brings new features and improvements to help organizations apply a structured approach to threat scenarios.

The updated version of the tool changes how threats are generated.  It now uses STRIDE categories instead of STRIDE per element to allow users to produce threats based on the interaction between elements. (STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.)

The STRIDE baseline has also been updated in order to allow developers to design their own threats definitions.

“With this feature, we have higher confidence that our users can get the best possible picture of their threat landscape,” according to the SDL blog.

Microsoft also introduced a new drawing surface, an intuitive user interface that provides users with easier navigation capabilities for building threat models. With the drawing surface, Microsoft Visio is no longer required to create threat models.

“One of our goals with this release is to provide a simplified workflow for building a threat model and help remove existing dependencies,” the SDL team wrote.

Other features allowing developers to easily migrate their preexisting threat models or security systems from the previous version of the tool to the new threat-modeling format.

“Threat modeling is an iterative process. Development teams create threat models, which evolve over time as systems and threats change,” wrote the SDL team.