Threat Modeling Again, What does STRIDE have to do with threat modeling?

re: Threat Modeling Again, What does STRIDE have to do with threat modeling?

Cheong — Sat, 08 Sep 2007 05:14:43 GMT

Regarding "Data Stores", it's fairly common for database applications to also store the "right assignment" for users into tables. Doesn't exploiting it be possible for "Elevation of Privilege"?

For example, the user information of MySQL is stored in the database named "mysql". If someone find their way to modify "mysql.user" table then execute "flush privileges" or just wait until the next time the server is restarted, the attacker can gain access to all databases - not just the database that the buggy application runs on - and can feel free to drop any of them.

Threat Modeling Again, STRIDE per Element

Larry Osterman's WebLog — Mon, 10 Sep 2007 20:31:05 GMT

As I mentioned the other day , we had three huge big realizations as we've been doing more and more threat

Threat Modeling Again, STRIDE per Element

Noticias externas — Mon, 10 Sep 2007 20:54:24 GMT

As I mentioned the other day , we had three huge big realizations as we've been doing more and more

STRIDE chart

The Security Development Lifecycle — Wed, 12 Sep 2007 21:09:14 GMT

Adam Shostack here. I've been meaning to talk more about what I actually do, which is help the teams

Some final thoughts on Threat Modeling...

Larry Osterman's WebLog — Tue, 02 Oct 2007 21:54:40 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah,