STRIDE is a model for identifying computer security threats[1] developed by Praerit Garg and Loren Kohnfelder at Microsoft.[2] It provides a mnemonic for security threats in six categories.[3]

The threats are:

The STRIDE was initially created as part of the process of threat modeling. STRIDE is a model of threats, used to help reason and find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows, and trust boundaries.[5]

Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?"

Each threat is a violation of a desirable property for a system:

ThreatDesired propertyThreat Definition
SpoofingAuthenticityPretending to be something or someone other than yourself
TamperingIntegrityModifying something on disk, network, memory, or elsewhere
RepudiationNon-repudiabilityClaiming that you didn't do something or were not responsible; can be honest or false
Information disclosureConfidentialityProviding information to someone not authorized to access it
Denial of serviceAvailabilityExhausting resources needed to provide service
Elevation of privilegeAuthorizationAllowing someone to do something they are not authorized to do

Notes on the threats

Repudiation is unusual because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's "Off the Record" messaging system. This is a useful demonstration of the tension that security design analysis must sometimes grapple with.

Elevation of privilege is often called escalation of privilege, or privilege escalation. They are synonymous.

See also

References

  1. Kohnfelder, Loren; Garg, Praerit (April 1, 1999). "The threats to our products". Microsoft Interface. Retrieved 13 April 2021.
  2. Shostack, Adam (27 August 2009). ""The Threats To Our Products"". Microsoft SDL Blog. Microsoft. Retrieved 18 August 2018.
  3. "The STRIDE Threat Model". Microsoft. Microsoft.
  4. Guzman, Aaron; Gupta, Aditya (2017). IoT Penetration Testing Cookbook: Identify Vulnerabilities and Secure your Smart Devices. Packt Publishing. pp. 34–35. ISBN 978-1-78728-517-0.
  5. Shostack, Adam (2014). Threat Modeling: Designing for Security. Wiley. pp. 61–64. ISBN 978-1118809990.
  6. "Key OT Cybersecurity Challenges: Availability, Integrity and Confidentiality". tripwire.com. Retrieved 2022-07-20.
  7. "What is the CIA Triad? Definition, Explanation and Examples". WhatIs.com. Retrieved 2022-05-01.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.