Skip to content

STRIDE

STRIDE

A Security Threat Modeling Framework

1. Overview: A Threat Modeling Technique That Embeds Security by Identifying 6 Threat Categories at Design Time, STRIDE

    flowchart LR
    A["Security vulnerabilities<br/>discovered after design<br/>High remediation cost"] --"STRIDE threat analysis<br/>at design time"--> B["Systematic identification<br/>and response to 6 threat types"] --"Reflect security<br/>requirements in the design"--> C["Secure by Design<br/>security embedded from the start"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: A threat modeling technique developed by Microsoft that classifies possible security threats to a software system into six categories — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege — and systematically identifies and mitigates them from the design stage onward.

Characteristics: (Shift-left security) Identifying threats at the design stage is more cost-effective than fixing vulnerabilities after development. (DFD-based analysis) Combined with a Data Flow Diagram (DFD), it uses system boundaries, components, and data flows as the basis for analysis. (Complementary use) Can be used alongside other threat modeling methodologies such as DREAD, PASTA, and TRIKE.


2. Core Structure of STRIDE

A. The 6 STRIDE Threat Categories

    flowchart TD
    subgraph R1[" "]
        direction LR
        S["S — Spoofing<br/>Spoofing identity<br/>Accessing a system<br/>under someone else's identity"]
        T["T — Tampering<br/>Tampering<br/>Unauthorized modification<br/>of data, code, or config"]
        R["R — Repudiation<br/>Repudiation<br/>Denying that<br/>an action was performed"]
    end
    subgraph R2[" "]
        direction LR
        I["I — Information Disclosure<br/>Information Disclosure<br/>Leaking information<br/>to an unauthorized party"]
        D["D — Denial of Service<br/>Denial of Service<br/>Preventing legitimate users<br/>from using the service"]
        E["E — Elevation of Privilege<br/>Elevation of Privilege<br/>Gaining higher privilege<br/>from a lower one"]
    end

    style S fill:#E3F2FD,stroke:#1976D2,color:#000
    style T fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style R fill:#FFF3E0,stroke:#F57C00,color:#000
    style I fill:#FFEBEE,stroke:#D32F2F,color:#000
    style D fill:#E8F5E9,stroke:#388E3C,color:#000
    style E fill:#E0F2F1,stroke:#00796B,color:#000
    style R1 fill:none,stroke:none
    style R2 fill:none,stroke:none
  
ThreatSecurity Property ViolatedAttack ExampleKey Countermeasures
S — SpoofingAuthenticationPhishing, session hijacking, ARP spoofingMFA, digital signatures, HTTPS certificates
T — TamperingIntegritySQL injection, parameter tampering, file tamperingInput validation, digital signatures, hash verification
R — RepudiationNon-repudiationTransaction denial, log deletion, hiding activityAudit logs, timestamps, digital signatures
I — Information DisclosureConfidentialityData leakage, man-in-the-middle attacks, log info exposureEncryption, access control, data masking
D — Denial of ServiceAvailabilityDDoS, resource exhaustion, fork bombsRate limiting, WAF, CDN, auto scaling
E — Elevation of PrivilegeAuthorizationVulnerability exploitation, privilege escalation attacksLeast-privilege principle, RBAC, sandboxing

B. Threat Modeling Process and DFD Application

    flowchart LR
    S1["1. Decompose the system<br/>Draw a DFD<br/>Processes, data stores,<br/>external entities, trust boundaries"]
    S2["2. Identify threats<br/>Apply STRIDE<br/>to each DFD element<br/>across the 6 threat types"]
    S3["3. Assess risk<br/>DREAD scoring<br/>Rate risk per threat<br/>Determine priority"]
    S4["4. Define countermeasures<br/>Design mitigations<br/>Reflect them as<br/>security requirements"]
    S5["5. Verify & iterate<br/>Update the threat model<br/>when the design changes<br/>Continuous improvement"]

    S1 --> S2 --> S3 --> S4 --> S5
    S5 -->|"when the design changes"| S1

    style S1 fill:#E3F2FD,stroke:#1976D2,color:#000
    style S2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style S3 fill:#FFF3E0,stroke:#F57C00,color:#000
    style S4 fill:#E8F5E9,stroke:#388E3C,color:#000
    style S5 fill:#E0F2F1,stroke:#00796B,color:#000
  

STRIDE Applicability Matrix by DFD Element

DFD ElementSTRIDE
External Entity
Process
Data Flow
Data Store

DREAD Risk Scoring Criteria

DREAD ItemMeaningScore (1-10)
DamageExtent of damage if the attack succeedsHigher = more severe
ReproducibilityEase of reproducing the attackHigher = riskier
ExploitabilityDifficulty of executing the attackHigher = riskier
Affected UsersProportion of users affectedHigher = riskier
DiscoverabilityEase of discovering the vulnerabilityHigher = riskier

3. Expected Benefits and Practical Application of STRIDE Threat Modeling

CategoryKey Expected BenefitApplication & Practical Use
Shift-left securityMinimizes remediation cost by catching vulnerabilities early at the design stageInclude a threat modeling session during sprint planning (integrated with Agile)
Security requirementsDerives concrete, threat-based security requirementsCodify STRIDE analysis results as security requirements in the functional spec
DevSecOps integrationLinks the threat model with CI/CD pipeline security gatesBuild a system that auto-updates and reviews the threat model when IaC code changes
ComplianceMeets the risk management requirements of ISMS-P, ISO 27001, and PCI-DSSUse an annual full-system threat model review as audit evidence