STRIDE
STRIDE
A Security Threat Modeling Framework
1. Overview: A Threat Modeling Technique That Embeds Security by Identifying 6 Threat Categories at Design Time, STRIDE
flowchart LR
A["Security vulnerabilities<br/>discovered after design<br/>High remediation cost"] --"STRIDE threat analysis<br/>at design time"--> B["Systematic identification<br/>and response to 6 threat types"] --"Reflect security<br/>requirements in the design"--> C["Secure by Design<br/>security embedded from the start"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: A threat modeling technique developed by Microsoft that classifies possible security threats to a software system into six categories — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege — and systematically identifies and mitigates them from the design stage onward.
Characteristics: (Shift-left security) Identifying threats at the design stage is more cost-effective than fixing vulnerabilities after development. (DFD-based analysis) Combined with a Data Flow Diagram (DFD), it uses system boundaries, components, and data flows as the basis for analysis. (Complementary use) Can be used alongside other threat modeling methodologies such as DREAD, PASTA, and TRIKE.
2. Core Structure of STRIDE
A. The 6 STRIDE Threat Categories
flowchart TD
subgraph R1[" "]
direction LR
S["S — Spoofing<br/>Spoofing identity<br/>Accessing a system<br/>under someone else's identity"]
T["T — Tampering<br/>Tampering<br/>Unauthorized modification<br/>of data, code, or config"]
R["R — Repudiation<br/>Repudiation<br/>Denying that<br/>an action was performed"]
end
subgraph R2[" "]
direction LR
I["I — Information Disclosure<br/>Information Disclosure<br/>Leaking information<br/>to an unauthorized party"]
D["D — Denial of Service<br/>Denial of Service<br/>Preventing legitimate users<br/>from using the service"]
E["E — Elevation of Privilege<br/>Elevation of Privilege<br/>Gaining higher privilege<br/>from a lower one"]
end
style S fill:#E3F2FD,stroke:#1976D2,color:#000
style T fill:#F3E5F5,stroke:#7B1FA2,color:#000
style R fill:#FFF3E0,stroke:#F57C00,color:#000
style I fill:#FFEBEE,stroke:#D32F2F,color:#000
style D fill:#E8F5E9,stroke:#388E3C,color:#000
style E fill:#E0F2F1,stroke:#00796B,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
| Threat | Security Property Violated | Attack Example | Key Countermeasures |
|---|---|---|---|
| S — Spoofing | Authentication | Phishing, session hijacking, ARP spoofing | MFA, digital signatures, HTTPS certificates |
| T — Tampering | Integrity | SQL injection, parameter tampering, file tampering | Input validation, digital signatures, hash verification |
| R — Repudiation | Non-repudiation | Transaction denial, log deletion, hiding activity | Audit logs, timestamps, digital signatures |
| I — Information Disclosure | Confidentiality | Data leakage, man-in-the-middle attacks, log info exposure | Encryption, access control, data masking |
| D — Denial of Service | Availability | DDoS, resource exhaustion, fork bombs | Rate limiting, WAF, CDN, auto scaling |
| E — Elevation of Privilege | Authorization | Vulnerability exploitation, privilege escalation attacks | Least-privilege principle, RBAC, sandboxing |
B. Threat Modeling Process and DFD Application
flowchart LR
S1["1. Decompose the system<br/>Draw a DFD<br/>Processes, data stores,<br/>external entities, trust boundaries"]
S2["2. Identify threats<br/>Apply STRIDE<br/>to each DFD element<br/>across the 6 threat types"]
S3["3. Assess risk<br/>DREAD scoring<br/>Rate risk per threat<br/>Determine priority"]
S4["4. Define countermeasures<br/>Design mitigations<br/>Reflect them as<br/>security requirements"]
S5["5. Verify & iterate<br/>Update the threat model<br/>when the design changes<br/>Continuous improvement"]
S1 --> S2 --> S3 --> S4 --> S5
S5 -->|"when the design changes"| S1
style S1 fill:#E3F2FD,stroke:#1976D2,color:#000
style S2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style S3 fill:#FFF3E0,stroke:#F57C00,color:#000
style S4 fill:#E8F5E9,stroke:#388E3C,color:#000
style S5 fill:#E0F2F1,stroke:#00796B,color:#000
STRIDE Applicability Matrix by DFD Element
| DFD Element | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | ✓ | ✓ | ||||
| Process | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Data Flow | ✓ | ✓ | ✓ | |||
| Data Store | ✓ | ✓ | ✓ | ✓ |
DREAD Risk Scoring Criteria
| DREAD Item | Meaning | Score (1-10) |
|---|---|---|
| Damage | Extent of damage if the attack succeeds | Higher = more severe |
| Reproducibility | Ease of reproducing the attack | Higher = riskier |
| Exploitability | Difficulty of executing the attack | Higher = riskier |
| Affected Users | Proportion of users affected | Higher = riskier |
| Discoverability | Ease of discovering the vulnerability | Higher = riskier |
3. Expected Benefits and Practical Application of STRIDE Threat Modeling
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Shift-left security | Minimizes remediation cost by catching vulnerabilities early at the design stage | Include a threat modeling session during sprint planning (integrated with Agile) |
| Security requirements | Derives concrete, threat-based security requirements | Codify STRIDE analysis results as security requirements in the functional spec |
| DevSecOps integration | Links the threat model with CI/CD pipeline security gates | Build a system that auto-updates and reviews the threat model when IaC code changes |
| Compliance | Meets the risk management requirements of ISMS-P, ISO 27001, and PCI-DSS | Use an annual full-system threat model review as audit evidence |