Today’s cyber attackers are becoming ever more inventive in the way they achieve big bang cyber attacks, using tactics such as hacking suppliers in order to gain access to their customers, or compromising vulnerabilities inside an application’s code in order to attack an organisation.

As a result, developers need to be more threat conscious than ever when creating their applications and products. But with so many new and emerging threats, how can they be sure they’ve thought of everything?

That’s where a framework such as STRIDE threat modelling can help. STRIDE threat modelling supports developers and organisations to identify cybersecurity threats to their application, prioritise them based on impact and likelihood, and build mitigation into their secure software development lifecycle (SSDLC).

What is STRIDE threat modelling?

STRIDE threat modelling is a developer focussed threat modelling method based on six common threats that target software. STRIDE is an acronym for each of the threat categories it deals with: Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privilege.

The STRIDE threat model was created in 1999 by security researchers at Microsoft. While STRIDE threat modelling is useful for organisations on its own, is also forms part of a wider methodology that provides security teams with a practical framework for identifying threats and dealing with them by defining security requirements, creating an application diagram, identifying threats, mitigating threats, and validating that threats have been mitigated.

The six threat groups considered in the STRIDE threat modelling framework focus on different elements of security within an application, encouraging developers to think about the threats that could impact every part of an application or system, and the ways that they can protect against them right from the start of the development process.

The six elements of STRIDE threat modelling are:

Spoofing

A spoofing attack is when attackers disguise their identity to successfully impersonate a trusted source and gain access to important data or information from a user. Spoofing often uses social engineering to convince users to give information such as usernames and passwords. Once they have the information, attackers will use it to gain access to the application and from there infect the network.

Spoofing attacks include cookie replay attacks, session hijacking, and cross site request forgery (CSRF) attacks.

Since spoofing is an attack on user authentication, the best form of prevention is to implement secure user authentication methods, including both secure password requirements and multi-factor authentication (MFA).

Tampering

Tampering involves the deliberate modification of a system in order to change its behaviour. Attackers will try to compromise applications by tampering target parameters or code in order to modify application data such as user credentials and permissions, or other crucial items in the application.

Tampering attacks such as Cross Site Scripting (XSS) and SQL injection damage the integrity of the application. In order to protect against tampering, the application should be designed to validate user inputs, and encode outputs. Static code analysis should be used to identify vulnerabilities to tampering in the application both during the development stage and once the application is in production.

Repudiation

A repudiation attack is an attack on the validity and integrity of actions on the application. Repudiation attacks take advantage of a lack of controls which properly track and log user actions, using this lack to manipulate or forge the identification of new, non-authorised actions, delete logs or log the wrong data to log files, and deny actions or receipt of service (for example, committing fraud).

Developers can build non-repudiation, or the assurance that someone can’t deny the validity of an action, by incorporating digital signatures in the application which provide proof of actions, or by ensuring that there are full, tamper-proof logs in place.

Information disclosure

Information disclosure is when the application unintentionally reveals information about the application that can be used by attackers to compromise the system.

Information disclosure can come from developer comments that are left in the application, source code that provides parameter information, or error messages that contain too many details, revealing data about users, sensitive commercial or business data, and technical details about the application and its infrastructure.

This information can then be used by attackers to force access to the application gathering information about customers, which can be used in further crime, or to gain privileges which in turn will give access to more sensitive areas of the application.

Developers are at the heart of preventing information disclosure vulnerabilities on the application:

Error messages, response headers, and background information should be as generic as possible to avoid revealing clues about the application’s behaviour.
Proper access controls and authorisations should be in place to prevent unauthorised access to information.
The application itself should be checked over from a user perspective to validate that developer comments and other information is not revealed in the production environment.

Denial of service

Denial of service (DoS) attacks flood the target with traffic, triggering a crash, and shutting it down to legitimate traffic. DoS attacks typically cost time and money, but do not cause other damage to their victims. The most common form of DoS attack is a buffer overflow attack which simply sends too much traffic to the application. Other attacks exploit vulnerabilities to cause systems to crash.

DoS attacks can target both the network layer or the application layer. Applications can be protected against DoS attacks by configuring firewalls to block traffic from certain sources such as reserved, loopback, or private IP addresses, or unassigned DCHPDHCP clients, or introducing rate limiting to manage traffic.

Escalation of privilege

Privilege escalation attacks exploit vulnerabilities and misconfigurations in the application to gain illicit access to elevated or privileged rights. Privilege escalation attacks may exploit credential and authentication processes, compromise vulnerabilities in code and design, take advantage of misconfigurations, or use malware or social engineering to gain access.

Protection against escalation of privilege should be built into the application at the development stage. This includes managing the identity lifecycle, enforcing the principle of least privilege for all users, hardening systems and applications through configuration changes, removing unnecessary rights and access, closing ports, and more.

The benefits of STRIDE threat modelling

Get ahead of vulnerabilities at an early stage

Many of the accepted ways of identifying vulnerabilities (static code analysis, penetration testing, bug bounties, and so on) come into play once all or most of the application has been developed. However, it’s cheaper and easier to fix flaws during the development cycle than it is once the vulnerabilities are in the live product.

STRIDE threat modelling is a development-centric method of assessing the threats that may impact on an application. STRIDE can be used to form a checklist for a secure software development lifecycle, supporting developers to identify potential weaknesses early on when they are cheaper and easier to mitigate or remediate.

Take a security first approach

STRIDE threat modelling is built around threats encouraging developers to think about how each of the threats under consideration could attack different parts of the application. Furthermore, it challenges assumptions, making developers and information security teams question their assumptions, and test them for validity and security.

The outcomes of a STRIDE threat modelling exercise can be combined with the DREAD risk assessment model (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability) to assess the impact of each risk, and prioritise vulnerabilities for remediation.

STRIDE threat modelling can be carried out over and over again

STRIDE threat modelling is never over.

STRIDE threat modelling is a framework that allows for threat modelling exercises at regular intervals to enable security teams to keep on top of the rapidly evolving threat landscape, and ensure that the protections in place are able to withstand both older and newer threats.

STRIDE threat modelling is part of a wider cybersecurity programme

Creating secure applications and systems and protecting them requires a multi-faceted cybersecurity risk management programme that incorporates infrastructure protections and other activities such as testing the security of applications and systems regularly with penetration tests.

STRIDE threat modelling provides one of these facets, supporting developers to incorporate secure development practices when developing applications and systems. STRIDE threat modelling alone will not secure your application, but it will provide a strong foundation from the very start of the process.

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

STRIDE Threat Modelling: Six Steps to a Secure Application

What is STRIDE threat modelling?

Spoofing

Tampering

Repudiation

Information disclosure

Denial of service

Escalation of privilege

The benefits of STRIDE threat modelling

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected