The challenge for Day Five is – Learn about Threat Modelling (ie like STRIDE)
The great sage Wikipedia defines Threat Modelling as: a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritised.
One popular Threat Modelling tool is STRIDE that was designed by Microsoft back in 1999.
STRIDE is a mnemonic broken down into:
- Spoofing – where a malicious user can impersonate another person or application
- Tampering – unauthorised modification of data
- Repudiation – “covering tracks” an attacker being able to deny their involvement
- Information disclosure – releasing sensitive or damaging information
- Denial of Service – rendering a network resource, app or machine inaccessible by its intended users
- Elevation of privilege – escalation of an attackers user rights in an application/network
Here’s a helpful video narrated by a robotic voice:
An attack can be identified and categorised by one or more points of the STRIDE model.
For example, if I was able to guess an administrators login credentials and login, then alter another existing user by changing their password and giving them admin rights (so someone else on my “team” could join in) it would touch on S, T and at a stretch D.
Microsoft have a free Threat Modelling tool that allows you to draw a map of your application and label points where security threats could exist. I haven’t used it but it looks like a useful way to map out testing and give a visual diagram for the rest of your team or customers.
A related mnemonic that I like is DREAD
Rather than identifying and categorising the type of attack, DREAD is used to identify the severity/impact
- Damage – how bad would an attack be?
- Reproducibility – how easy is it to reproduce the attack?
- Exploitability – how much work is it to launch the attack?
- Affected users – how many people will be impacted?
- Discoverability – how easy is it to discover the threat?
When planning your security tests, consider using STRIDE to identify what the threats are and DREAD to explain relevance/potential impact.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!