Threat modeling framework

STRIDE
Spoofing
pretending to be someone or something else
How to prevent Spoofing

Authentication verifies that users and systems are who they claim to be.

Common security controls to reduce or eliminate risk:

For your data:

• Hashes
For your system:
• User Authentication
• Cookie Authentication
• SSL/TLS
• Certificates
Tampering
changing data without authorization
How to prevent Tampering

Integrity prevents data from being maliciously modified.

Common security controls to reduce or eliminate risk

• Access control lists (ACL)
• Validating input to prevent the processing of malicious payloads
• Using SSL/TLS to secure transmission
Repudiation
not claiming responsibility for an action taken
How to prevent Repudiation

Non-repudiation ensures each action can be traced back to its origin by creating and
protecting security logs.

Common security controls to reduce or eliminate risk

• Strong authentication
• Secure logging and monitoring
• Digital signatures
• Secure timestamps
• Trusted third parties
Information disclosure
seeing data I am not supposed to see
How to prevent Information disclosure

Confidentiality ensures data is protected.

Common security controls to reduce or eliminate risk

• Encryption
• Access Control Lists (ACL)
• Enforcing SSL/TLS to secure transmission
Denial of Service
overwhelming the system
How to prevent Denial of Service

Availability ensures your system is up and running for users.

Common security controls to reduce or eliminate risk

• Access control lists (ACL)
• Filtering
• Quotas
• Authorization
• High availability
Elevation of privilege
having permissions I should not have
How to prevent Elevation of privilege

Authorization ensures users have proper permissions.

Common security controls to reduce or eliminate risk

• Access-control lists (ACL)
• Role-based access controls (RBAC)
• Group-based access
• Permissions
• Input validation