STRIDE Model
   HOME

TheInfoList



Click Here for Items Related To - STRIDE Model
OR:
STRIDE Model on:   [Wikipedia]   [Google]   [Amazon]

STRIDE is a model for identifying
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
threats A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation fo ...
developed by Praerit Garg and Loren Kohnfelder at
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
. It provides a
mnemonic A mnemonic device ( ), memory trick or memory device is any learning technique that aids information retention or retrieval in the human memory, often by associating the information with something that is easier to remember. It makes use of e ...
for security threats in six categories. The threats are: * Spoofing * Tampering * Repudiation * Information disclosure ( privacy breach or
data leak A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information". Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There a ...
) * Denial of service * Elevation of privilege The STRIDE was initially created as part of the process of threat modeling. STRIDE is a model of threats, used to help reason and find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows, and trust boundaries. Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?" Each threat is a violation of a desirable property for a system:


Notes on the threats

Repudiation is unusual because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's " Off the Record" messaging system. This is a useful demonstration of the tension that security design analysis must sometimes grapple with. Elevation of privilege is often called escalation of privilege, or privilege escalation. They are synonymous.


See also

* Attack tree – another approach to security threat modeling, stemming from dependency analysis * Cyber security and countermeasure * DREAD – a classification system for security threats *
OWASP The Open Worldwide Application Security Project (formerly Open Web Application Security Project) (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of Io ...
– an organization devoted to improving web application security through education *
CIA The Central Intelligence Agency (CIA; ) is a civilian foreign intelligence service of the federal government of the United States tasked with advancing national security through collecting and analyzing intelligence from around the world and ...
also known as AIC – another mnemonic for a security model to build security in IT systems


References


External links


Uncover Security Design Flaws Using The STRIDE Approach
Computer security {{comp-sci-stub