Contents
STRIDE and the SSDLC – Helping you Design & set (Trust) Boundaries.
The STRIDE model can be used as a different way to sort and understand different types of security threats in an app or service. Security teams usually bring STRIDE into play during the design phase of the Secure Software Development Lifecycle (SSDLC) so they can spot weak points early and figure out how to defend against them.
To make it even more effective, teams often pair STRIDE with Data Flow Diagrams (DFDs) and the idea of Trust Boundaries. Together, these tools help map out how parts of the app interact, highlight where things could go wrong, and suggest fixes before attackers get a chance to exploit those gaps.
Security Threats Categories in STRIDE
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE) was developed by Praerit Garg and Loren Kohnfelder at Microsoft and categorizes computer security threats using a mnemonic for those six categories and subsequently informs protection efforts by aligning these threat types with core principles of information security, facilitating early identification and mitigation of vulnerabilities.
Let's dive into the six specific categories:
| Category | Description of Threat |
|---|---|
| Spoofing | Involves illegally accessing and then using another user's authentication information, such as a username and password. |
| Tampering | Involves the malicious modification of data. Examples include unauthorized changes to persistent data (like data held in a database) or the alteration of data flowing between two computers over an open network, such as the Internet. |
| Repudiation | Associated with users who deny performing an action when other parties have no way to prove otherwise. For instance, a user performs an illegal operation in a system that lacks the ability to trace the prohibited actions. |
| Information Disclosure | Involves the exposure of information to individuals who are not supposed to have access to it. Examples include the ability of users to read a file they were not granted access to, or an intruder reading data in transit between two computers. |
| Denial of Service (DoS) | These attacks deny service to valid users, for example, by making a Web server temporarily unavailable or unusable. Protection against certain types of DoS threats is necessary to improve system availability and reliability. |
| Elevation of Privilege | Occurs when an unprivileged user gains privileged access, allowing them sufficient access to compromise or destroy the entire system. This includes situations where an attacker has penetrated all system defenses and effectively become part of the trusted system itself. |
Using STRIDE to Help Inform Protection Efforts
The STRIDE model helps inform protection efforts by framing security conversations and aligning threats with fundamental security principles.
Mapping to Core Security Principles:
Each STRIDE category corresponds to a core principle of information security, helping developers understand which security goals are threatened:
- Spoofing relates to Authenticity.
- Tampering relates to Integrity.
- Repudiation relates to Non-repudiability.
- Information Disclosure relates to Confidentiality.
- Denial of Service relates to Availability.
- Elevation of Privilege relates to Authorization.
Early Identification and Mitigation STRIDE modeling anticipates threats to the target system and is a core element of the Microsoft Security Development Lifecycle. Using this model, software architects can identify and mitigate potential security issues early in the development process. Resolving these issues when they are relatively easy and cost-effective to fix significantly reduces the total cost of development.
System Modeling and Threat Anticipation: STRIDE builds upon an overarching model of the system, which may include a full breakdown of processes, data stores, data flows, and trust boundaries. It is used to simplify overall security discussions and help users formulate pointed questions about vulnerabilities, such as, "How can an attacker change the authentication data?" or "What happens if access is denied to the user profile database?". The concept of Non-Repudiation refers to the ability of a system to counter repudiation threats; for instance, requiring a user to sign for an item upon receipt provides evidence that they received the package.
In short - the STRIDE model acts as a blueprint for security design, much like a diagnostic checklist a mechanic uses before repairing an engine: by systematically examining the six categories (S, T, R, I, D, E), developers can isolate which fundamental security components (Authenticity, Integrity, Confidentiality, etc.) are at risk and prioritize solutions before the system is finalized.
back to more articlessecurity AuthN AuthZ Authentication Authorization Availability CIA CIA Triad Confidentiality Core Security Principles DFD Data Flow Diagrams Denial of Service Design Phase DevSecOps DoS Early Identification Early Identification and Mitigation Early Mitigation Elevation of privilege Information Disclosure Integrity Non-repudiability Repudiation SSDLC STRIDE SecDevOps SecOps Secure Software Development Lifecycle Security Threats Spoofing System Modeling Tampering Threat Anticipation Trust Boundaries secure engineering security architecture MS SDL Microsoft Security Development Lifecycle 2024
