STRIDE (security)

STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft[1] for identifying computer security threats.[2] It provides a mnemonic for security threats in six categories.[3]

The threats are:

The STRIDE was initially created as part of the process of threat modeling. STRIDE is a model of threats, used to help reason and find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows and trust boundaries.[5]

Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?"

Each threat is a violation of a desirable property for a system:

ThreatDesired property
SpoofingAuthenticity
TamperingIntegrity
RepudiationNon-repudiability
Information disclosureConfidentiality
Denial of ServiceAvailability
Elevation of PrivilegeAuthorization

Notes on the threats

Repudiation is unusual because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's "Off the Record" messaging system. This is a useful demonstration of the tension that security design analysis must sometimes grapple with.

Elevation of Privilege is often called escalation of privilege, or privilege escalation. They are synonymous.

See also

  • Attack tree – another approach to security threat modeling, stemming from dependency analysis
  • Cyber security and countermeasure
  • DREAD (risk assessment model) – another mnemonic for security threats
  • OWASP – organization devoted to improving web application security through education
  • CIA also known as AIC – another mnemonic for a security model to build security in IT systems

References

  1. Shostack, Adam. ""The Threats To Our Products"". Microsoft SDL Blog. Microsoft. Retrieved 18 August 2018.
  2. Kohnfelder, Loren; Garg, Praerit (April 1, 1999). "The threats to our products". Microsoft Interface. Retrieved 18 August 2018.
  3. "The STRIDE Threat Model". Microsoft. Microsoft.
  4. Guzman, Aaron; Gupta, Aditya (2017). IoT Penetration Testing Cookbook: Identify Vulnerabilities and Secure your Smart Devices. Packt Publishing. pp. 34–35. ISBN 978-1-78728-517-0.
  5. Shostack (2014). Threat Modeling: Designing for Security. Wiley. pp. 61–64. ISBN 978-1118809990.


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.