Geert,
I was referring to Threat modeling, which Microsoft has incorporated into their SDLC. They have developed a Security Development Lifecycle (SDL), which includes developing Threat Models for applications.
More information can be found at
www.microsoft.com/sdl.
The tool they have developed is tied into Visio, which is single user file based tool and we would like to construct a Threat Model using EA. I am still learning about threat modeling so this information may not be a very good explanation of what is needed.
Basically, you model your application using a Data Flow Diagram (DFD), which EA supports with the exception of being able to draw Threat Boundaries. These are dashed lines that are an arc and any data flow (represented by an EA connector) that intersects a threat boundary needs to be identified as a threat. This is just one of the many features that needs to be provided by the threat model. There are classifications of the threat (acronym STRIDE) which have defined mitigation techniques applied based on the asset that is associated with the data flow (connector). These mitigations are provided on the threat model documentation that is generated from the model.
Each of the EA element types in a DFD is considered as an Asset, which needs to have properties assigned (probably EA Tagged Values) and reported on (which could be handled by creating a document template in EA).
Again, I am still learning about this and there are several features that could be automated with a tool such as EA, but it would be nice if EA could take a look at the features needed and provide something out of the box. Microsoft developed the SDL and the tooling back in 2006-2007 and hasn't done much since then and the tool defintlely does not support multi-user like EA. It would take some commitment on Sparx's part to analyze the process to be able to provide this type of feature and my post was just to inquire if Sparx had anything like this on their radar.
Thanks for your reply and interest.
Tom
