Security Threat Modelling / Analysis using STRIDE and the Microsoft Threat Analysis Tool

The below video provides an introduction to the theory behind threat modelling and analysis using the STRIDE categorization scheme. It provides a way to identify threats to software you are developing yourself as well as off-the-shelf software products.

This is useful for anyone studing for the ISC2 CISSP Certified Information Systems Security Professional certification, or for other cybersecurity certifications such as the ISACA CISM exam.

The video talks about the theory on creating a data flow diagram, and how the analysis is then applied. In a future video I plan to create another video with a practical example of how to apply STRIDE analysis to an open source software projects.

The 6 steps to STRIDE are:

Spoofing - imitating someone or something else to gain access to a system or higher privilage
Tampering - unauthorized changes to data or configuration
Repudiation - identifying who has done what on the system
Information Disclosure - unathorized access to information that is confidential or secret
Denial of Service DoS - preventing access to a service
Elevation of privilege - increasing the level of privilege after logging in as less priveleged user

More information

Please subscribe to Penguin Fortress on YouTube for future videos.

For more details about how security see the following guides:

4 Pillars of Cyber Security

Example STRIDE Analysis

Cyber Security Index

› Introduction

Policy

› Incident Response

› AAA

› Cryptography

› Web

› Development

Security Threat Modelling / Analysis using STRIDE and the Microsoft Threat Analysis Tool

More information