Training People on Threat Modeling - The Security Development Lifecycle - Site Home

Adam Shostack here. Blogger Ian Grigg has an interesting response to my threat modeling blog series, and I wanted to respond to it. In particular, Ian says “I then would prefer to see the threat - property matrix this way:”

I wanted to share an additional table from our training, and talk about repudiation a bit more.

Actually, I’d like to repudiate the term “repudiation.” It’s an awful name that most people never run into in day-to-day life. It doesn’t hit the simplification bar the way say, “denial,” would. Unfortunately, STDIDE (Spoofing, Tampering, Denial, Information Disclosure, Denial of Service, Elevation of Privilege) doesn’t make a very memorable acronym. Memorable is important when training people. Our reviewers have raised this as an issue, and ’d love to get feedback from our readers. How can we ensure that the software we build has the right level of logging and audit-ability? What evocative words can we use, and can you help us come up with a word or phrase that starts with R? Let us know!

And then, here’s the chart:

Threat	Property	Definition	Example
Spoofing	Authentication	Impersonating something or someone else.	Pretending to be any of billg, microsoft.com or ntdll.dll
Tampering	Integrity	Modifying data or code	Modifying a DLL on disk or DVD, or a packet as it traverses the LAN.
Repudiation	Non-repudiation	Claiming to have not performed an action.	“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
Information Disclosure	Confidentiality	Exposing information to someone not authorized to see it	Allowing someone to read the Windows source code; publishing a list of customers to a web site.
Denial of Service	Availability	Deny or degrade service to users	Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.
Elevation of Privilege	Authorization	Gain capabilities without proper authorization	Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

(Ian’s post is here https://financialcryptography.com/mt/archives/001013.html . IE users will see a warning about certificate authorities when visiting this site. As I wrote this, Gunnar Peterson added commentary at "Threats, Mechanisms and Standards.")