This article is a comparison of data modeling tools which are notable, including standalone, conventional data modeling tools and modeling tools supporting data modeling as part of a larger modeling environment.
- Microsoft Threat Modeling Tool
- Three Tools Available For Threat Modeling
- Best Threat Modeling Tool
- Threat Modeling Pdf
- Threat Modeling Tool For Mac
General[edit]
Threat modeling is a key element in the consideration of security, both at application level and network level.How to identify the threats in the Software in SDLC process.The threat modeling methodology.The best tools that you can use for finding threats in software.
Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the internet of things, business processes, etc. SDL Threat Modeling Tool 3.1.2008 The Microsoft SDL Threat Modeling Tool allows for. Security issues. The SDL Threat Modeling Tool helps engineers. Software lifecycle. The SDL Threat Modeling Tool version 3. Previous 3.1 release. How To Use Microsoft Threat Modeling Tool 2016, Create DFD Model and identity threat STRIDE. Microsoft’s free threat modeling tool – the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD-based, and identifies threats based on the STRIDE threat classification scheme. It is intended primarily for general use.
Tool | Creator | Target Business Size | License | Supported Database Platforms | Supported OSs | Standalone or bundled into a larger toolkit | Launch Date |
---|---|---|---|---|---|---|---|
Astah | Change Vision | Enterprises | Proprietary | MySQL, Oracle, | Windows, macOS, Linux | Standalone | 2006 |
Database Deployment Manager | The Unauthorized Frog project | SMBs and enterprises | LGPL | CUBRID, MySQL, SQLite | Windows, Linux | Standalone | 2010 ? |
Database Workbench | Upscene Productions | SMBs and enterprises | Proprietary | MS SQL Server, MySQL, Oracle, Firebird, InterBase, SQL Anywhere, NexusDB, MariaDB | Windows, Linux and FreeBSD (both through Wine) | Standalone | 2001 |
Enterprise Architect | Sparx Systems | SMBs and enterprises | Proprietary | IBM DB2, Firebird, InterBase, Informix, Ingres, Access, MS SQL Server, MySQL, SQLite, Oracle, PostgreSQL, Sybase | Windows, Linux (Wine), macOS (via CrossOver) | Data modeling is supported as part of a complete modeling platform. | 2000 |
ER/Studio | Embarcadero (acquired by IDERA) | SMBs and enterprises | Proprietary | Access, IBM DB2, Informix, Hitachi HiRDB, Firebird, Interbase, MySQL, MS SQL Server, Netezza, Oracle, PostgreSQL, Sybase, Teradata, Visual Foxpro and others via ODBC/ANSI SQL | Windows | Standalone | 1998 |
Erwin Data Modeler | ERWin (formerly CA) | SMBs and enterprises | Proprietary | Access, IBM DB2, Informix, MySQL, MS SQL Server, Netezza, Oracle, PostgreSQL, Sybase, and others via ODBC/ANSI SQL | Windows | Standalone | 1998 |
MagicDraw | No Magic | Enterprises, SMBs, personal | Proprietary | MS SQL Server, Oracle, MySQL, PostgreSQL, IBM DB2 | Windows, Linux, macOS | Standalone | 1995 |
SQL Server Management Studio | Microsoft | Unknown | Proprietary | MS SQL Server | Windows | Standalone | 2005 |
ModelRight | ModelRight | Enterprises, SMBs, personal | Proprietary | Access, MS SQL Server, Oracle, MySQL, PostgreSQL, IBM DB2 | Windows | Standalone | 2005 |
Moon Modeler | Datensen | Enterprises - SMBs - personal | Proprietary | MongoDB, MariaDB | Windows, Linux | Standalone | 2019 |
MySQL Workbench | MySQL (An Oracle Company) | SMBs - personal | Proprietary or GPL | MySQL | Linux, Windows, macOS | Standalone | 2006 |
Navicat Data Modeler | PremiumSoft | SMBs and enterprises | Proprietary | MySQL, MS SQL Server, PostgreSQL, Oracle, SQLite | Windows, macOS, Linux | Standalone | 2012 |
NORMA Object-Role Modeling | Terry Halpin | SMBs and enterprises | CPL | MySQL, MS SQL Server, PostgreSQL, Oracle, DB2 | Windows | Visual Studio Extension | 2005 |
Open ModelSphere | Grandite | Enterprises - SMBs - personal | GNU GPL3 | MS SQL Server, MySQL, PostgreSQL, Oracle, DB2 | Windows, macOS, Linux | Standalone with Data, UML, and process modeling | 2008 |
Oracle SQL Developer Data Modeler | Oracle | Enterprises | Proprietary | Oracle, MS SQL Server, IBM DB2 | Cross-platform | Standalone | Unknown |
PowerDesigner | SAP | SMBs and enterprises | Proprietary | Access, Greenplum, Apache Hive, HP Neoview, IBM DB2, Informix, Ingres, Interbase, MySQL, Netezza, NonStop SQL, Oracle, PostgreSQL, Red Brick Warehouse, SAP business Suite, SAP Hana, SAP Adaptive Server Enterprise, SAP IQ, SAP SQL Anywhere, MS SQL Server, Teradata | Windows | Standalone | 1989 |
Software Ideas Modeler | Dusan Rodina | Enterprises, SMBs, personal | Proprietary | MS SQL Server, MySQL | Windows | Standalone | 2009 |
SQLyog | Webyog, Inc. | Enterprises, SMBs, personal | Proprietary | MySQL, MariaDB | Windows and Linux (using Wine) | Standalone | 2001 |
Toad Data Modeler | Quest Software | SMBs and enterprises | Proprietary | Access, IBM DB2, Informix, MySQL, MariaDB, PostgreSQL, MS SQL Server, SQLite, Oracle | Windows | Standalone | 2005 (before this date known as CaseStudio) |
Tool | Creator | Target Business Size | License | Supported Database Platforms | Supported OSs | Standalone or bundled into a larger toolkit | Launch Date |
Features[edit]
Tool | Supported data models (conceptual, logical, physical) | Supported notations | Forward engineering | Reverse engineering | Model/database comparison and synchronization | Teamwork/repository |
---|---|---|---|---|---|---|
Database Workbench | Conceptual, logical, physical | IE (Crows feet) | Yes | Yes | Update database and/or update model | No |
Enterprise Architect | Conceptual, Logical & Physical + MDA Transform of Logical to Physical | IDEF1X, UML DDL, Information Engineering & ERD | Yes | Yes | Update database and/or update model | Multi-user collaboration using File, DBMS or Cloud Repository (or transfer via XMI, CVS/TFS or Difference Merge). |
ER/Studio | Logical, physical, ETL | IDEF1X, IE (Crows feet) | Yes | Yes | Update database and/or update model | ER/Studio Repository and Team Server (formerly Portal/CONNECT) for collaboration |
MagicDraw | Conceptual, Logical & Physical + MDA Transform of Logical to Physical | IDEF1X, UML DDL, Information Engineering & ERD | Yes | Yes | Update database and/or update model | Multi-user collaboration using File, DBMS or (transfer via XMI, CVS/TFS or Difference Merge). |
MySQL Workbench | Physical | IDEF1X, IE (Crows feet), UML, and more | Yes | Yes | Update database and/or update model | No |
Navicat Data Modeler | Conceptual, physical | IE (Crows feet) | Yes | Yes | Update database and/or update model | No |
NORMA Object-Role modeling | Conceptual (ORM), Logical, Physical | ORM, Relational(Crows feet option), Barker | Yes | Yes | Update database and/or update model | No |
Open ModelSphere | Conceptual, Logical, physical | IDEF1X, IE (Crows feet), and more | Yes | Yes | Update database and/or update model | No |
Oracle SQL Developer Data Modeler | Logical, physical | IDEF1X, IE (Crows feet), and more | Yes | Yes | Update database and/or update model | Yes |
PowerDesigner | Conceptual, logical, physical | IDEF1X, IE (Crows feet), and more | Yes | Yes | Update database and/or update model | Yes |
Toad Data Modeler | Logical, physical | IDEF1X, IE (Crows feet), and more | Yes | Yes | Update database and/or update model | Yes |
See also[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Comparison_of_data_modeling_tools&oldid=912562007'
Join hundreds of InfoSec professionals at our upcoming [Global AppSec DC, September 9-13] and [Global AppSec Amsterdam, September 23-27] |
- 34 Questions
- 4Process
- 5Learning More
Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the internet of things, business processes, etc. There are very few technical products which cannot be threat modelled; more or less rewarding, depending on how much it communicates, or interacts, with the world. Threat modelling can be done at any stage of development, preferably early - so that the findings can inform the design.
What
Most of the time, a threat model includes:
- A description / design / model of what you’re worried about
- A list of assumptions that can be checked or challenged in the future as the threat landscape changes
- A list of potential threats to the system
- A list of actions to be taken for each threat
- A way of validating the model and threats, and verification of success of actions taken
Microsoft Threat Modeling Tool
Our motto is: Threat modelling: the sooner the better, but never too late.
Why
The inclusion of threat modelling in the SDLC can help
- Build a secure design
- Efficient investment of resources; appropriately prioritize security, development, and other tasks
- Bring Security and Development together to collaborate on a shared understanding, informing development of the system
- Identify threats and compliance requirements, and evaluate their risk
- Define and build required controls.
- Balance risks, controls, and usability
- Identify where building a control is unnecessary, based on acceptable risk
- Document threats and mitigation
- Ensure business requirements (or goals) are adequately protected in the face of a malicious actor, accidents, or other causes of impact
- Identification of security test cases / security test scenarios to test the security requirements
4 Questions
Most threat model methodologies answer one or more of the following questions in the technical steps which they follow:
1. What are we building?
As a starting point you need to define the scope of the Threat Model. To do that you need to understand the application you are building, examples of helpful techniques are:
- Architecture diagrams
- Dataflow transitions
- Data classifications
- You will also need to gather people from different roles with sufficient technical and risk awareness to agree on the framework to be used during the Threat Modelling exercise.
![Threat Modeling Tool For Mac Threat Modeling Tool For Mac](/uploads/1/2/6/0/126023244/425387087.jpg)
2. What can go wrong?
This is a 'research' activity in which you want to find the main threats that apply to your application. There are many ways to approach the question, including brainstorming or using a structure to help think it through. Structures that can help include STRIDE, Kill Chains, CAPEC and others.
3. What are we going to do about that?
In this phase you turn your findings into specific actions. See Threat_Modeling_Outputs
4. Did we do a good enough job?
Finally, carry out a retrospective activity over the work you have done to check quality, feasibility, progress, and/or planning.
Process
The technical steps in threat modelling involve answering questions: - What are we working on - What can go wrong - What will we do with the findings - Did we do a good job? The work to answer these questions is embedded in some sort of process, ranging from incredibly informal Kanban with Post-its on the wall to strictly structured waterfalls.
The effort, work, and timeframes spent on threat modelling relate to the process in which engineering is happening and products/services are delivered. The idea that threat modelling is waterfall or ‘heavyweight’ is based on threat modelling approaches from the early 2000s. Modern threat modelling building blocks fit well into agile and are in wide use.
When to threat model
When the system changes, you need to consider the security impact of those changes. Sometimes those impacts are not obvious.
Threat modelling integrates into Agile by asking “what are we working on, now, in this sprint/spike/feature?”; trying to answer this can be an important aspect of managing security debt, but trying to address it per-sprint is overwhelming. When the answer is that the system’s architecture isn’t changing, no new processes or dataflows are being introduced, and there are no changes to the data structures being transmitted, then it is unlikely that the answers to ‘what can go wrong’ will change. When one or more of those changes, then it’s useful to examine what can go wrong as part of the current work package, and to understand designs trade-offs you can make, and to understand what you’re going to address in this sprint and in the next one. The question of did we do a good job is split: the “did we address these threats” is part of sprint delivery or merging, while the broader question is an occasional saw-sharpening task.
After a security incident, going back and checking the threat models can be an important process.
Threat modelling: engagement versus review
Three Tools Available For Threat Modeling
Threat modelling at a whiteboard can be a fluid exchange of ideas between diverse participants. Using the whiteboard to construct a model that participants can rapidly change based on identified threats is a high-return activity. The models created there (or elsewhere) can be meticulously transferred to a high-quality archival representation designed for review and presentation. Those models are useful for documenting what’s been decided and sharing those decisions widely within an organization. These two activities are both threat modelling, yet quite different.
Validating assumptions
Learning More
Best Threat Modeling Tool
Agile approaches
- Main agile threat modelling page
- Specific agile approach1 TM page
- Specific agile approach2 TM page
Threat Modeling Pdf
Waterfall approaches
Threat Modeling Tool For Mac
- Main waterfall TM page
Additional/External references
Retrieved from 'https://www.owasp.org/index.php?title=Application_Threat_Modeling&oldid=244224'