- What is STRIDE Threat Modeling?
- What are the Six STRIDE Threat Types (Also Known as Components or Elements)
- When Should I use STRIDE Threat Modeling?
- How Often Should I STRIDE Threat Model?
- What Tools Can I use for STRIDE Threat Modeling?
- What are the Major Steps in Performing STRIDE Threat Modeling
- Can STRIDE Threat Modeling be used in DevOps
- What are Alternatives to STRIDE Threat Modeling
- When Am I Finished with STRIDE Threat Modeling?
- Should I Develop Countermeasures or Security Requirements as part of STRIDE Threat Modeling?
- Concluding STRIDE Threat Modeling Frequently Asked Questions and Answers
In this article, I’ll provide STRIDE threat modeling frequently asked questions and answers.
What is STRIDE Threat Modeling?
STRIDE threat modeling is a threat modeling method. It provides a way of working to perform threat modeling, primarily by classifying threat types and creating Data Flow Diagrams for an overall understanding of the application or IT system in scope (of threat modeling). If you’re new to threat modeling in general, check my what is threat modeling page.
STRIDE is a mnemonic of six types of security threats. Each letter of STRIDE stands for one of the six types of security threats:
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
STRIDE was developed at Microsoft to help secure their software and software development processes.
New to STRIDE threat modeling? Check these links:
- STRIDE Threat Modeling Example for Better Understanding and Learning
- The Ultimate List of STRIDE Threat Examples
- STRIDE Threat Modeling
What are the Six STRIDE Threat Types (Also Known as Components or Elements)
Spoofing
Spoofing is a type of threat whereby an attacker maliciously impersonates (or pretends to be) a different user (or system). You can also use Spoofing more loosely during STRIDE threat modeling to classify threats related to users and access rights.
Tampering
Tampering is a type of threat whereby an attacker maliciously modifies data. You can also use Tampering more loosely during STRIDE threat modeling to classify threats related to the security of data.
Repudiation
Repudiation relates to the ability to prove or disprove that an action or activity was performed by a specific user (or not). Repudiation is thus a type of threat whereby an attacker denies having performed a malicious action.
Information Disclosure
Information Disclosure is a type of threat whereby the attacker gains access to information that should be confidential or secret (and not available to an attacker).
Denial of Service
Denial of Service is a type of threat whereby an attacker will prevent a system (or application) from working for valid users. This is often achieved by overloading a system with fake requests so that no time or resources remain for legitimate users.
Elevation of Privilege
Elevation of Privilege is a type of threat whereby an attacker will elevate their current level of access privilege. This can include elevating access privileges where an attacker has no privileges at all (i.e., not a user) or elevating access privileges where an attacker already has ‘some’ privileges (i.e., a basic user).
When Should I use STRIDE Threat Modeling?
You should use STRIDE threat modeling as early as possible in the development process (also known as the Software Development Lifecycle).
But you can use STRIDE at any time, even if you didn’t start with threat modeling at an early stage.
Here are some guidelines related to when and how often you should use STRIDE threat modeling within your software development process:
- Start with STRIDE threat modeling as early as possible, preferably in the earliest development and requirement-gathering stage.
- If you haven’t started at the earliest stage, that’s OK. You can still start STRIDE threat modeling at any time (even if your application or IT system has been in use for many years already).
How Often Should I STRIDE Threat Model?
Performing STRIDE threat modeling once will provide you and your team with a lot of added security value. You will gain insight that you previously did not have regarding potential threats to your application or IT system.
However, you should not stop performing (STRIDE) threat modeling after the first instance. You should perform it periodically and upon major changes to your application or IT system.
By performing STRIDE periodically, you keep the team refreshed and up to date regarding the security of your application or IT system.
By performing STRIDE upon major changes, you ensure that each change is assessed for potential impact to the security of your application or IT system.
What Tools Can I use for STRIDE Threat Modeling?
You can perform STRIDE threat modeling without tooling, by using just white-boarding techniques or using an online note-taking application.
If you’d like an example, see my article STRIDE threat modeling example. You can see that no tooling is used to work on this STRIDE threat model.
Microsoft does have a tool – the Microsoft Threat Modeling tool. This tool can be used to perform STRIDE threat modeling. Note that it is not actively developed and improved upon by Microsoft. But it’s a great starting point if you really wish to use tooling for STRIDE threat modeling.
What are the Major Steps in Performing STRIDE Threat Modeling
The specific steps involved in STRIDE threat modeling vary. But generally the following is required:
- Gain an initial understanding of the application / IT-system way of working (think about the architecture, security services consumed, the purpose of the application, etc.).
- Create a Data Flow Diagram that depicts the main components of the application or IT system, the data flows involved, and the main legitimate users.
- For each important component, think about threats that may apply to them, and classify these according to STRIDE.
- Verify that all STRIDE threat types have been reviewed sufficiently.
Can STRIDE Threat Modeling be used in DevOps
Yes! STRIDE threat modeling and the DevOps way of working are a great fit. STRIDE provides DevOps teams with a method to think about security, and to think about potential threats proactively and independently without security experts.
DevOps provides continuous development and operational activities on an application or IT system. This continuous development and operational work mean that potential (new) threats are introduced. These new potential changes and threats should be analyzed using STRIDE threat modeling.
What are Alternatives to STRIDE Threat Modeling
There are many methods of threat modeling and many ways in which to analyze potential threats or potentially bad things that can happen within an application or IT system.
A few examples are:
- PASTA threat modeling: Very similar to STRIDE in terms of objectives and overall outcomes, PASTA is a lot more detailed and prescriptive than STRIDE.
- TRIKE threat modeling: This is a threat modeling method that does not have much traction anymore, and is not used widely within the industry.
- CAPEC threat modeling: This threat modeling method is concentrated on the identification of threats in the wild, whereas STRIDE does not take this into account.
Note that the above alternatives are not exactly the same as STRIDE. There are differences in the way they are used and applied and are not quite the same thing. So even though these are all threat modeling methods, they have fundamental differences.
When Am I Finished with STRIDE Threat Modeling?
You can finish your STRIDE threat modeling once you believe that you have identified as many threats as are relevant to your application or IT system.
There is no definitive or fixed number of threats that indicate that you have finished.
Furthermore, you should only finish STRIDE for now. Meaning, STRIDE threat modeling should be a continuous process as part of your software development lifecycle.
Should I Develop Countermeasures or Security Requirements as part of STRIDE Threat Modeling?
Whether you include countermeasures or security requirements, in response to newly identified threats, as part of your STRIDE threat modeling, is up to you.
Remember, that identifying threats is not a goal in itself, the goal is to make your application or IT system more secure. Therefore you should develop countermeasures and security requirements.
But, you could develop countermeasures and security requirements separately, after threat modeling.
Concluding STRIDE Threat Modeling Frequently Asked Questions and Answers
STRIDE threat modeling is a well-known threat modeling method. Many people have questions about what STRIDE is, and how it can be applied. The above questions represent the most commonly asked questions from the industry.