Skip to main content

STRIDE (enhanced)

Image
By Labels:
Everything can be improved. Here's Geoff's proposal for improving STRIDE taxonomy, he granted me the permission to publish it; in his words:

The STRIDE mnemonic was created to simplify the ability for non-security members to identify areas where software teams commonly made security mistakes. It has covers 6 unique security weakness points. The mnemonic is enhanced by integrating it with the Security Frame, a framework that highlights the 10 most common security patterns that get improperly designed and implemented.

The enhanced STRIDE is here:

·       Spoofing (Authentication)
·   attempting to gain access to a system by using a false identity
·   cause - poor authentication of entities
·       Spoofing (Session handling)
·   attempting to gain access to a system by using a false identity
·   cause - poor management of session tokens (key length, key lifetime, key storage)
·       Tampering (Validation)
·   unauthorized modification of data
·   cause - poor validation of data 
·       Tampering (Cryptography)
·   unauthorized modification of data
·   cause – poor encryption of data
·       Repudiation (Session handling)
·   ability of entities (legitimate or otherwise) to deny that performing specific actions
·   cause – poor management of session tokens (key length, key lifetime, key storage)
·       Repudiation (Auditing)
·   ability of entities (legitimate or otherwise) to deny that performing specific actions
·   cause – poor logging capability to track entity activity
·       Information Disclosure (Sensitive Data)
·   unwanted exposure of private data
·   cause – poor security patterns to handle sensitive data
·       Information Disclosure (Cryptography)
·   unwanted exposure of private data
·   cause – poor encryption of data
·       Information Disclosure (Exception handling)
·   unwanted exposure of private data
·   cause – poor anticipatory handling of unexpected software failures
·       Denial Of Service (Session handling)
·   process of making a system unavailable
·   cause - poor management of session tokens (key length, key lifetime, key storage)
·       Denial Of Service (Exception handling)
·   process of making a system unavailable
·   cause – poor anticipatory handling of unexpected software failures
·       Elevation Of Privilege (Authorisation)
·   entity assumes permissions of a privileged entity to gain privileged access to system
·   cause – poor access control defined on system and known entity roles
·       Elevation Of Privilege (Configuration handling)
·   entity assumes permissions of a privileged entity to gain privileged access to system
·   cause – poor integration with other outside systems enables permission mismatch
You can follow him on twitter too: https://twitter.com/Tutamantic_Sec

Comments

Post a Comment