Scroll to discover
See a Demo
Skip to content

Threat Modeling Methodology: STRIDE

Focus: Developer-focused | Est: 1999

STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA), besides Authorisation, Authentication, and Non-Repudiation. STRIDE has evolved over time to include new threat-specific tables and the variants STRIDE-per-Element and STRIDE-per-Interaction.1

This is the oldest threat modeling methodology and helps identify mitigating techniques. It is relatively easy to use but can be time-consuming. See chart below on example use.2

Threat

Property

Definition

Spoofing

Authentication

Impersonating something or someone else

Tampering

Integrity

Modifying data or code

Repudiation

Non-repudiation

Claiming to have not performed the action

Information Disclosure

Confidentiality

Exposing information to someone not authorized to see it

Denial of Service (DoS)

Availability

Deny or degrade service to users

Elevation of Privilege

Authorization

Gain capabilities without proper authorization

How can I use STRIDE within IriusRisk?

Read this blog from Jonny Tennyson, Head of Customer Success, on how you can use STRIDE Methodology and CAPEC, within IriusRisk. 

Other Threat Modeling Methodologies 

To learn more about other methodologies please visit Threat Modeling Methodologies.

 
Information Sources:
 
1. Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ 
2. Microsoft, STRIDE Chart (2007) microsoft.com/security/blog/2007/09/11/stride-chart/