I have just prepared a new minor release to fix a blocking bug in Threats Manager: the new release has been marked with version 1.5.53.
- [BUG] Error when drilling down a Treat Type with a name including a single quote character.
Please use the new version instead of the previous one.
You can download the new version from here.
Simone On Security 
Do you have insights on what is going on with the Threat Modeling Tool by chance? All signs point to it being abandoned(2016 has major bugs untouched for 18 months and 2017 is still stuck in preview), but no one seems to be commenting one way or the other.
LikeLike
Hi Jonathan, thank you for asking. I know that the product team has not ceased working on it. There are various ideas to revamp it and they are continuously adding bug fixes. You are right when you say that it is not updated as frequently as we would like to see it, and that old bugs have yet to be solved.
The fact is that the Product Group would like to give more love to the tool, but they need to demonstrate that it really matters to customers like you: would you invest on a tool that provides no particular return of the investment to you (because you are giving away it for free) and that may be used by a very small number of users, being so specialized? So, it is very important to help them to understand the real impact of the Threat Modeling Tool by installing the preview and by accepting the telemetry: this allows them to understand if the Threat Modeling Tool is useful or not, and what are the most important features to invest on.
So, while they are trying to get those evidences, they are doing what they can with the resources they have been assigned. The good news here is that the Threat Modeling Tool has a team of people working on it and that development has not stopped and new ideas for its evolution are considered as we speak. We just need to work together, so that Microsoft understands the real importance it has for us and provide the resources needed to fulfill its promises.
Please keep asking those questions and to show interest on Threat Modeling and the Threat Modeling Tool!
LikeLike
Thanks for info, although I was afraid that was what the response was going to be.
The MS threat modeling tool(2017 in particular) is far superior to the other free modeling tools out there, but trying to get buy-in embed it into our development process is tough. Since 2016 cannot create accurate reports due to the threat severity bug, its use gets voted down by devs since manually editing every report is time consuming. 2017 Preview works well, but management will never approve a year old app in Preview status. Microsoft’s tool makes showing how threat modeling can be put into the development cycle and return a good value back to the business, but when trying to scope out what the enterprise wide program would look like, moving to one of the commercial tools is the only way to guarantee a stable process.
Microsoft needs telemetry from users to show value in continuing development, inversely the people trying to champion its adoption needs some movement on Microsoft’s side to get it. It’s like a real world deadlock.
Not for nothing, the 2002 Bill Gates memo is a good way to summarize why this free tool returns value to Microsoft, in particular this piece of the first paragraph(just replace .Net with Azure): “Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don’t do this, people simply won’t be willing – or able – to take advantage of all the other great work we do”. Helping customers create secure Azure stacks will only lead to more Azure adoption.
LikeLike
You probably know this already, but forcing a user to consent to submitting PII in order to use your application is Not Nice ™. This choice disqualifies the tool from our toolbox, which is a shame.
LikeLike
Thank you, Sly. I understand your point, but I respectfully disagree. Yes, it would be nicer to allow you to decide if you want or not to confer your data, but truth is that I need to collect info about the issues, to troubleshoot and improve quality, and to understand which features are more useful, for prioritizing my development activities. I think I have been nice and ethical, by stating exactly what are the data collected, how they are going to be used and for how long they are going to be retained, which is in terms of days, not years.
Of course, it is totally legitimate for you to disagree with my usage of your data and to refuse using my tool: I am not forcing you in any way.
Some time ago, Exceptionless changed its policies and I may be able to change the information required to a bare minimum, which still may include information like the executable path (and thus potentially your account name). Nevertheless, I am not going to update my code to leverage the new possibilities, because I think that nowadays Threats Manager provides a marginal value compared with the original intentions, not only because of how the new Templates like the Azure one have been built, but also because the Threat Modeling Tool is not evolving as it should. Of course, I recognize that with this I may have provided you an even better reason not to adopt Threats Manager. 🙂
In any case, please stay tuned: I may have some ace up my sleeve, which I hope to be allowed to share with the general public in the upcoming months.
Again, thank you for your feedback. I appreciate it.
Simone
LikeLike