STRIDE model: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 14:43, 26 April 2024

STRIDE is a model for identifying computer security threats^[1] developed by Praerit Garg and Loren Kohnfelder at Microsoft.^[2] It provides a mnemonic for security threats in six categories.^[3]

The threats are:

Spoofing
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of service
Elevation of privilege^[4]

The STRIDE was initially created as part of the process of threat modeling. STRIDE is a model of threats, used to help reason and find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows, and trust boundaries.^[5]

Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?"

Each threat is a violation of a desirable property for a system:

Threat	Desired property	Threat Definition
Spoofing	Authenticity	Pretending to be something or someone other than yourself
Tampering	Integrity	Modifying something on disk, network, memory, or elsewhere
Repudiation	Non-repudiability	Claiming that you didn't do something or were not responsible; can be honest or false
Information disclosure	Confidentiality	Someone obtaining information they are not authorized to access
Denial of service	Availability	Exhausting resources needed to provide service
Elevation of privilege	Authorization	Allowing someone to do something they are not authorized to do

Notes on the threats[edit]

Repudiation is unusual because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's "Off the Record" messaging system. This is a useful demonstration of the tension that security design analysis must sometimes grapple with.

Elevation of privilege is often called escalation of privilege, or privilege escalation. They are synonymous.

References[edit]

^ Kohnfelder, Loren; Garg, Praerit (April 1, 1999). "The threats to our products". Microsoft Interface. Retrieved 13 April 2021.
^ Shostack, Adam (27 August 2009). ""The Threats To Our Products"". Microsoft SDL Blog. Microsoft. Retrieved 18 August 2018.
^ "The STRIDE Threat Model". Microsoft. Microsoft.
^ Guzman, Aaron; Gupta, Aditya (2017). IoT Penetration Testing Cookbook: Identify Vulnerabilities and Secure your Smart Devices. Packt Publishing. pp. 34–35. ISBN 978-1-78728-517-0.
^ Shostack, Adam (2014). Threat Modeling: Designing for Security. Wiley. pp. 61–64. ISBN 978-1118809990.
^ "Key OT Cybersecurity Challenges: Availability, Integrity and Confidentiality". tripwire.com. Retrieved 2022-07-20.
^ "What is the CIA Triad? Definition, Explanation and Examples". WhatIs.com. Retrieved 2022-05-01.

External links[edit]

Uncover Security Design Flaws Using The STRIDE Approach

This computer science article is a stub. You can help Wikipedia by expanding it.

[1] Kohnfelder, Loren; Garg, Praerit (April 1, 1999). "The threats to our products". Microsoft Interface. Retrieved 13 April 2021.

[2] Shostack, Adam (27 August 2009). ""The Threats To Our Products"". Microsoft SDL Blog. Microsoft. Retrieved 18 August 2018.

[3] "The STRIDE Threat Model". Microsoft. Microsoft.

[4] Guzman, Aaron; Gupta, Aditya (2017). IoT Penetration Testing Cookbook: Identify Vulnerabilities and Secure your Smart Devices. Packt Publishing. pp. 34–35. ISBN 978-1-78728-517-0.

[5] Shostack, Adam (2014). Threat Modeling: Designing for Security. Wiley. pp. 61–64. ISBN 978-1118809990.

[6] "Key OT Cybersecurity Challenges: Availability, Integrity and Confidentiality". tripwire.com. Retrieved 2022-07-20.

[7] "What is the CIA Triad? Definition, Explanation and Examples". WhatIs.com. Retrieved 2022-05-01.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

@@ Line 1: / Line 1: @@
+{{Short description|Model for identifying computer security threats}}
 '''STRIDE''' is a model for identifying [[computer security]] [[Threat (computer)|threats]]<ref>{{Cite journal |last=Kohnfelder |first=Loren |last2=Garg |first2=Praerit |date=April 1, 1999 |title=The threats to our products |url=https://shostack.org/files/microsoft/The-Threats-To-Our-Products.docx |journal=Microsoft Interface |accessdate=13 April 2021}}</ref> developed by Praerit Garg and [[Loren Kohnfelder]] at [[Microsoft]].<ref>{{Cite web |last=Shostack |first=Adam |date=27 August 2009 |title="The Threats To Our Products" |url=https://cloudblogs.microsoft.com/microsoftsecure/2009/08/27/the-threats-to-our-products/ |website=Microsoft SDL Blog |publisher=Microsoft |accessdate=18 August 2018}}</ref>   It provides a [[mnemonic]] for security threats in six categories.<ref>{{Cite web |title=The STRIDE Threat Model |url=https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx |website=Microsoft |publisher=Microsoft}}</ref>
@@ Line 18: / Line 19: @@
 {| class="wikitable"
 |-
-! Threat !! Desired property
+! Threat !! Desired property !! Threat Definition
 |-
-| Spoofing || Authenticity
+| Spoofing || Authenticity || Pretending to be something or someone other than yourself
 |-
-| Tampering || Integrity
+| Tampering || Integrity || Modifying something on disk, network, memory, or elsewhere
 |-
-| Repudiation || Non-repudiability
+| Repudiation || Non-repudiability || Claiming that you didn't do something or were not responsible; can be honest or false
 |-
-| Information disclosure || Confidentiality
+| Information disclosure || Confidentiality || Someone obtaining information they are not authorized to access
 |-
-| Denial of Service || Availability
+| Denial of service || Availability || Exhausting resources needed to provide service
 |-
-| Elevation of Privilege || Authorization
+| Elevation of privilege || Authorization || Allowing someone to do something they are not authorized to do
 |}
@@ Line 36: / Line 37: @@
 Repudiation is unusual because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's "[[Off-the-Record Messaging|Off the Record]]" messaging system.  This is a useful demonstration of the tension that security design analysis must sometimes grapple with.
-Elevation of Privilege is often called escalation of privilege, or privilege escalation.  They are synonymous.
+Elevation of privilege is often called escalation of privilege, or privilege escalation.  They are synonymous.
 == See also ==
 * [[Attack tree]] – another approach to security threat modeling, stemming from dependency analysis
 * [[Cyber security and countermeasure]]
-* [[DREAD (risk assessment model)]] – another mnemonic for security threats
+* [[DREAD (risk assessment model)|DREAD]] – a classification system for security threats
 * [[OWASP]] – an organization devoted to improving web application security through education
-* [[Information security#Key concepts|CIA]] also known as AIC{{by whom|date=February 2021}}{{citation needed|date=February 2021}} – another mnemonic for a security model to build security in IT systems
+* [[Information security#Key concepts|CIA]] also known as AIC<ref>{{Cite web| url=https://www.tripwire.com/state-of-security/security-data-protection/key-ot-cybersecurity-challenges-availability-integrity-confidentiality/ |title=Key OT Cybersecurity Challenges: Availability, Integrity and Confidentiality| access-date=2022-07-20| website=tripwire.com |language=en}}</ref><ref>{{Cite web |title=What is the CIA Triad? Definition, Explanation and Examples |url=https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA |access-date=2022-05-01 |website=WhatIs.com |language=en}}</ref> – another mnemonic for a security model to build security in IT systems
 ==References==
@@ Line 52: / Line 53: @@
 [[Category:Computer security]]
 {{comp-sci-stub}}

Latest revision as of 14:43, 26 April 2024

Notes on the threats[edit]

See also[edit]

References[edit]

External links[edit]