(
Spoofing,
Tampering,
Repudiation,
Information,
Denial,
Elevation) An acronym for remembering six areas of risk in technology. For an excellent example of applying STRIDE to Web applications, visit the keepers of the Open Web Application Security Project (OWASP) website.
Spoofing Identities
A user should not be able to assume the identity of, or mask the attributes of, someone else. Using a public key infrastructure (PKI) and digital signatures is a way of preventing spoofing.
Tampering With Data
The integrity of data should be preserved at all times. Encryption, independent verification and input, process and output validation are some of the tools that can be used.
Repudiate a Transaction
A valid transaction should not be subject to rejection. Good audit trails and signing a message with date and time are examples of preventative methods.
Information Disclosure
Information should not fall into unauthorized hands. Data loss prevention (DLP) techniques are used to strengthen corporate confidentiality. See
DLP.
Denial of Service
A server or an application should not be vulnerable to being put out of service. Redundant and/or backup systems are datacenter architectures that can be used.
Elevation of Privilege
An unauthorized user should not be allowed administrator rights. Refusing to share passwords or tokens can reduce this risk. See
access control.