Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Adam Shostack here.
I’ve learned to love STRIDE as a framework for thinking about threats, but it makes a lousy classification system. That is, I can look at a system to find information disclosure threats, but once I have an attack that leaks, say, the location of a DLL in memory to a remote attacker, is that Information Disclosure or Elevation of Privilege? It’s likely to make the latter easy, and down the classification rat-hole we go. I’d like to suggest that calling it ‘the STRIDE framework is the most clear wording we can use.’
I found the 1999 internal Microsoft article written by (then) Microsoft employees Loren Kohnfelder and Praerit Garg, and was pleased to discover that they intended STRIDE “to help you identify potential vulnerabilities in your product during a security analysis.” They also make repeated reference to a “proactive security analysis process,” and shows some of the thinking that led to the SDL. I thought it was neat look into history, and so without further ado, it's attached (59KB). This paper is sometimes referred to as "Threats to our software".