STRIDE Threat Modeling Method

What is STRIDE method and why is it important?

STRIDE Threat Modeling is one of the most effective tools, which helps security experts to deal with threats. STRIDE is an acronym abbreviation for the threats:

  • Spoofing identity;
  • Tampering with data;
  • Repudiation threats;
  • Information disclosure;
  • Denial of service;
  • Elevation of privileges.

It suggests the variants of defense options, possible attackers profiles and attack vectors. The tool helps not only to detect threats but also to highlight the most critical ones.

STRIDE vs. threats

Threat modeling helps to identify and get rid of potential vulnerabilities before the code is even written. It helps to locate potential risks, which can be done as soon as the primary design step.

The main use cases for STRIDE (the main threats, which gave the method its name) are the following:

  • Spoofing Identity. It occurs when an attacker puts on a semblance of someone else to commit fraud. Usually it is done by sending an ‘infected’ email from a disposable address, including a request of some specific data. When the innocent user provides the data in question, the fraudster uses it to achieve a new identity, either human or technical.
  • Tampering With Data. It happens when information or data undergo changes without authorization. The hacker takes over the system by editing a config file, inserting a malicious file or modifying the log.
  • Repudiation Threats. These take place when an attacker performs an illegal operation in the system and then denies involvement with it. In this case the system turns out unable to trace the malicious activity and detect and identify the attacker. In many cases those types of attacks are executed on en-mail systems.
  • Information Disclosure (also known as ‘Information leakage’). It happens when an application reveals data to unauthorized users by accident. It can affect the working process, data flow or data storage. Quite often it involves access to source code files through temporary backups, occasional reveal of personal information (like card numbers) or database information in error messages. This threat can appear due to public sharing of the internal content, insecure configurations or flawed error responses in the design.
  • Denial of Service (DoS). A very common issue (one of the most notorious was an attack against Google services), when the attacker prevents the users from accessing the resources which they need, negatively impacting the data flow, data storage, and the working process itself.
  • Elevation of Privileges. It happens when the user gains access to the information they should not be allowed to see.

Conclusion

STRIDE is used to detect threats at the design phase. The first step helps with identifying threats using a proactive process. The remaining threats are searched for at the system implementation phase. The purpose of the tool is to ensure the application meets the requirements of confidentiality, integrity and availability. Using it along with the model of the system or application allows the defense against each threat to be developed fast.

STRIDE can be used to detect threats to Cloud computing, as long as the system is open to vulnerabilities which do not have on-premises counterparts. STRIDE is used here to build defense for authentication, data protection, confirmation, confidentiality, availability and authorization. It is the first step on the path of building systems and applications and can act as a framework in ensuring secure design.

SmartState: Web3 security easier than ever

About SmartState

Launched in 2019 and based in Dubai, SmartState is one of the leading DeFi security auditing firms. We conduct security tests and check the code core, smart contracts and blockchain for all types of errors, vulnerabilities and other issues.

Although SmartState gave a start to operations with smart contract auditing of DLT-projects, from the very beginning, we made our services surpass the classic purview of smart contract audit and security testing. We specialize in manual testing, so the SmartState’s tech team of white-hat security professionals measure up a project’s git and offer guidelines and recommendations for its further advancement. Security audit reports review the threats and vulnerabilities with which codebases may be exploited in the future, as the network achieves scalability and expands to accommodate more use cases and functionality.

Stay tuned and find more about us and what we provide on our:

· Website

· Twitter

· LinkedIn

· Telegram

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SmartState.tech

SmartState.tech

62 Followers

SmartState is an independent audit company for DLT projects. It performs smart contract audit and security reviews and provides reco for improvements.