STRIDE¶
STRIDE is Microsoft's threat classification system
Each letter represents a category of threat and working through all six categories ensures comprehensive coverage
The Six Categories
S - Spoofing Pretending to be someone or something else
- Threat: Attacker impersonates a user, system, or component
- Example: Phishing, IP spoofing, session hijacking, fake TLS certs
- Mitigation: Authentication (multi-factor), certificate validation, digital signatures
- Crosses trust boundary: Authentication
T - Tampering Modifying data or code without authorization
- Threat: Attacker changes data in transit or at rest
- Example: Man-in-the-middle modifying packets, SQL injection altering database, file modification
- Mitigation: Integrity checks, hashing, digital signatures, access controls
- Crosses trust boundary: Integrity
R - Repudiation Denying having performed an action
- Threat: User/attacker denies performing an action with no way to prove otherwise
- Example: "I didn't send that email", "I didn't modify that file"
- Mitigation: Audit logging, digital signatures, non-repudiation mechanisms
- Crosses trust boundary: Audit
I - Information Disclosure Exposing information to unauthorized parties
- Threat: Sensitive data visible to those who shouldn't see it
- Example: Database leak, unencrypted traffic, error messages revealing internals, source code exposure
- Mitigation: Encryption (at rest and in transit), access controls, input validation
- Crosses trust boundary: Confidentiality
D - Denial of Service Denying service to legitimate users
- Threat: System becomes unavailable or degraded
- Example: DDoS, resource exhaustion, crash exploits, algorithmic complexity attacks
- Mitigation: Rate limiting, resource quotas, load balancing, redundancy
- Crosses trust boundary: Availability
E - Elevation of Privilege Gaining higher access than authorized
- Threat: Regular user gains admin/system-level access
- Example: Buffer overflow to shellcode, privilege escalation bug, broken access control
- Mitigation: Principle of least privilege, sandboxing, input validation, proper authorization
- Crosses trust boundary: Authorization
Applying STRIDE per Element
For each component in your system diagram ask:
Element: Web API Server
S - Can someone spoof a request from a legitimate client?
T - Can an attacker tamper with request data?
R - Can a user deny sending a request?
I - Does the server leak sensitive data in responses?
D - Can an attacker overwhelm the API?
E - Can API access lead to server compromise?
STRIDE per Interaction
For each data flow pair threat categories differently:
| Interaction | Primary Threats |
|---|---|
| Process-to-Process | T, I, D |
| User-to-Process | S, R, E |
| External-to-Internal | S, T, I, D, E |
| Data Store Access | T, I |
| Data Flow Across Network | T, I |
LIMITATION
STRIDE identifies threat types but doesn't prioritize them. A SQL injection (T/E) might be showstopper while a theoretical DNS spoof (S) against an internal service might be lower priority. Combined with DREAD or CVSS for prioritization