STRIDE
STRIDE is a methodology developed by Microsoft for characterizing threats and vulnerabilities.
- useful in SDLC to identify vulnerabilities
Components
- Spoofing
- can the identity of the entity using the application be obscured?
- Does the user have the capability to appear as a different user?
- Tampering
- Does the app allow a user to make unauthorized modifications to data
- affect integrity
- Repudiation
- Is the user capable of denying they took part in a transaction
- Does app track and log user actions
- Information disclosure
- Does app disclose info
- Denial of service
- Is there way to shutdown app through unauthorized means
- Elevation of privilege
- Can a user change their level of permissions
Resources
- Microsoft STRIDE
- Applying STRIDE
- Microsoft Threat Modeling Tool
- applies STRIDE automatically