30 Days of Security Testing – Day Five

The challenge for Day Five is – Learn about Threat Modelling (ie like STRIDE)

The great sage Wikipedia defines Threat Modelling as: a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritised.

One popular Threat Modelling tool is STRIDE that was designed by Microsoft back in 1999.

STRIDE
Using STRIDE correctly can help avoid painful situations

STRIDE is a mnemonic broken down into:

  • Spoofing – where a malicious user can impersonate another person or application
  • Tampering – unauthorised modification of data
  • Repudiation – “covering tracks” an attacker being able to deny their involvement
  • Information disclosure – releasing sensitive or damaging information
  • Denial of Service – rendering a network resource, app or machine inaccessible by its intended users
  • Elevation of privilege – escalation of an attackers user rights in an application/network

Here’s a helpful video narrated by a robotic voice:

An attack can be identified and categorised by one or more points of the STRIDE model.

For example, if I was able to guess an administrators login credentials and login, then alter another existing user by changing their password and giving them admin rights (so someone else on my “team” could join in) it would touch on S, T and at a stretch D.

Microsoft have a free Threat Modelling tool that allows you to draw a map of your application and label points where security threats could exist. I haven’t used it but it looks like a useful way to map out testing and give a visual diagram for the rest of your team or customers.


A related mnemonic that I like is DREAD

DREDD
I know the spelling is different, but work with me

Rather than identifying and categorising the type of attack, DREAD is used to identify the severity/impact

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

When planning your security tests, consider using STRIDE to identify what the threats are and DREAD to explain relevance/potential impact.


Thanks for reading my post and following my progress through the 30 Days of Security Testing.

For more on Security Testing please visit here or any of my other ramblings visit here

Feel like joining in? Sign into the WeTest Slack group and get involved!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: