STRIDE model
STRIDE is a model of threats developed by Microsoft[1] for identifying computer security threats.[2] It provides a mnemonic for security threats in six categories.[3]
The threats are:
- Spoofing of user identity
- Tampering
- Repudiation
- Information disclosure (privacy breach or data leak)
- Denial of service (D.o.S)
- Elevation of privilege
The STRIDE was initially created as part of the process of threat modelling. STRIDE is a model of threats, used to help reason and find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows and trust boundaries.[4]
Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?"
Each threats is a violation of a desirable property for a system:
| Threat | Desired property |
|---|---|
| Spoofing | Authenticity |
| Tampering | Integrity |
| Repudiation | Non-repudiability |
| Information disclosure | Confidentiality |
| Denial of Service | Availability |
| Elevation of Privilege | Authorization |
Notes on the threats
Repudiation is interesting because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's "Off the Record" messaging system.
Elevation of Privilege is often called escalation of privilege, or privilege escalation. They are synonymous.
See also
- Attack tree – another approach to security threat modeling, stemming from dependency analysis
- Cyber security and countermeasure
- DREAD (risk assessment model) – another mnemonic for security threats
- OWASP
References
- ^ Shostack, Adam. ""The Threats To Our Products"". Microsoft SDL Blog. Microsoft. Retrieved 18 August 2018.
- ^ Kohnfelder, Loren; Garg, Praerit (April 1, 1999). "The threats to our products". Microsoft Interface. Retrieved 18 August 2018.
- ^ "The STRIDE Threat Model". Microsoft. Microsoft.
- ^ Shostack (2014). Threat Modeling: Designing for Security. Wiley. pp. 61–64. ISBN 978-1118809990.
External links
 | This computer science article is a stub. You can help Wikipedia by expanding it. |