HOME

TheInfoList



OR:

STRIDE is a model for identifying computer security threats developed by Praerit Garg and
Loren Kohnfelder Loren Kohnfelder invented what is today called public key infrastructure (PKI) in his May 1978 MIT S.B. (BSCSE) thesis, which described a practical means of using public key cryptography to secure network communications. The Kohnfelder thesis intr ...
at Microsoft. It provides a mnemonic for security threats in six categories. The threats are: * Spoofing * Tampering *
Repudiation Repudiation may refer to: * Repudiation (marriage), the formal act by which a husband forcibly renounces his wife in certain cultures and religions *Disownment, the formal act by which a parent forcibly renounces his child *Anticipatory repudiatio ...
* Information disclosure ( privacy breach or data leak) * Denial of service * Elevation of privilege The STRIDE was initially created as part of the process of
threat modeling Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide de ...
. STRIDE is a model of threats, used to help reason and find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows, and trust boundaries. Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?" Each threat is a violation of a desirable property for a system:


Notes on the threats

Repudiation is unusual because it's a threat when viewed from a security perspective, and a desirable property of some privacy systems, for example, Goldberg's " Off the Record" messaging system. This is a useful demonstration of the tension that security design analysis must sometimes grapple with. Elevation of privilege is often called escalation of privilege, or privilege escalation. They are synonymous.


See also

* Attack tree – another approach to security threat modeling, stemming from dependency analysis *
Cyber security and countermeasure Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
DREAD (risk assessment model) DREAD is part of a system for risk-assessing computer security threats that was formerly used at Microsoft. It provides a mnemonic for risk rating security threats using five categories. The categories are: * Damage – how bad would an attack be? ...
– another mnemonic for security threats * OWASP – an organization devoted to improving web application security through education *
CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian intelligence agency, foreign intelligence service of the federal government of the United States, officially tasked with gat ...
also known as AIC – another mnemonic for a security model to build security in IT systems


References


External links


Uncover Security Design Flaws Using The STRIDE Approach
Computer security {{comp-sci-stub