How to: Import threat models which were created with Microsoft Threat Analysis and Modeling (TAM) v2.1

Syed Aslam Basha here from the Information Security Tools team.

With the availability of latest version of TAM v3.0, it becomes increasingly more important to know “How to import threat models which were created with TAM v2.1".

TAM v3.0 has a feature of importing TAM v2.1 threat models. TAM implements plug-in architecture and it supports importing through plug-in “dll’s”. For more technical details about plug-in architecture refer to this blog posts plug-in architecture 1 and 2 . The threat models are stored as xml files. TAM uses a built in xslt for transformation of TAM v2.1 threat model to TAM v3.0 threat model. The plug-ins and xslt are installed in plug-in folder. After the transformation the new threat model is loaded in threat model tree.

I am going to show “How to import TAM v2.1 threat models to TAM v3.0”.

Steps to Import.,

  1. Launch TAM v3.0
  2. Click on File –> New
  3. Click on File –> Import
  4. Select “Import from version 2.1 Threat Model” plug-in from the list and click on next
  5. Browse TAM v2.1 “.atmx” file and click on next
  6. Click on Finish

You are good to use the TAM v2.1 threat model in TAM v3.0. The import feature works seamlessly by mapping objects one to one and for many properties. For example threat model name, description, business objective name,description so on and so forth. In some cases, while importing v2.1 threat model some of the properties like authentication mechanism, weight, identity name, identity description in Role, data classification in Data, etc are copied to the respective descriptions as relevant properties don’t exist in TAM v3.0.

You can refer to more articles on TAM v3.0 here

-Syed Aslam Basha ( )

Microsoft Information Security Tools (IST) Team

Test Lead