How do I update the initial diagrams?
Question
How do I update the Sample VA Application Threat Models, in order to further tailor to create an initial application threat model?
Answer
The Sample VA Application Threat Models that are provided by the VA Software Assurance Program Office are intended as a starting point, to facilitate further work using the Microsoft Threat Modeling Tool.
For purposes of performing secure design reviews at the VA, there are three basic ways to further refine diagrams in Microsoft Threat Modeling Tool if or as necessary either before beginning, or during auditing:
- Add New, Delete, Reconnect model elements to the Context and Level 0 diagram(s). For example, right-click on the drawing surface to bring up a context menu to add an element.
- Convert model elements to a more specific type of element in the Level 0 diagram(s). For example, a generic data flow can be converted to HTTPS.
- Add new diagrams to further decompose the application to more accurately reflect a Level 0 decomposition (or to create Level 1 or 2 diagrams)
While there are additional ways to use the tool to support further model refinement, doing so is not required.
For more information about the process of refining diagrams while auditing potential threats using the Microsoft Threat Modeling Tool, please see How to get started analyzing an application threat model.