Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/29/2019
10:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

20 Years of STRIDE: Looking Back, Looking Forward

The invention of STRIDE was the key inflection point in the development of threat modeling from art to engineering practice.

Today, let me contrast two 20-year-old papers on threat modeling. My first paper on this topic, "Breaking Up Is Hard to Do," written with Bruce Schneier, analyzed smart-card security.  We talked about categories of threats, threat actors, assets — all the usual stuff for a paper of that era. We took the stance that "we experts have thought hard about these problems, and would like to share our results."

Around the same time, on April 1, 1999, Loren Kohnfelder and Praerit Garg published a paper in Microsoft's internal "Interface" journal called "The Threats to our Products." It was revolutionary, despite not being publicly available for over a decade. What made the Kohnfelder and Garg paper revolutionary is that it was the first to structure the process of how to find threats.  It organized attacks into a model (STRIDE), and that model was intended to help people find problems, as noted:

The S.T.R.I.D.E. security threat model should be used by all MS products to identify various types of threats the product is susceptible to during the design phase. Identifying the threats is the first step in a proactive security analysis process.

STRIDE was not the first suggestion for a systematic approach. In his 1994 book, Fundamentals of Computer Security Technology, Ed Amaroso outlined a way to create threat trees, "starting with a general, abstract description of the complete set of threats that exists for a given system, and then introducing detail in an iterative manner, refining the description carefully and gradually."

The invention of STRIDE is the key inflection point in the development of threat modeling from art to engineering practice. By moving us from folk wisdom to structure, STRIDE unleashed a flood of work towards making threat modeling accessible to all engineers.

At Microsoft, the frames included:

  • Frank Swiderski and Window Snyder's Asset/Entry approach
  • J.D. Meier's Patterns and Practices
  • Shawn Hernan and Tomasz Ostwald's STRIDE per element, and
  • Adam Shostack's (my) breakdown of approaches by their focus on asset, attacker or software, and four-question framework (There were certainly others; these are illustrative.)

Asset/Entry is a model derived from the physical world. For example, imagine a burglar stealing your stereo. The stereo is your asset, and the windows, doors, and chimney are the entry points. You track from one to the other and consider controls, such as locks or alarms, that stop or detect an attacker. 

Patterns and Practices is a framework that Microsoft has used for talking about development and operations for quite a long time; I believe it predates threat modeling. Patterns and Practices is more descriptive: This is what people do. They draw diagrams like these. They find that spoofing threats tend to associate with account creation patterns…

STRIDE per Element noted that certain threats happen less for types of elements: data flows aren't spoofed (endpoints are); data stores are not subject to elevation of privilege.

Beyond Microsoft, over the past two decades, there has been a Cambrian explosion of tools.  Some are built on STRIDE, others not, but they all owe a debt to it.

That explosion, and my attempts to make sense of it led to an understanding that different approaches often centered on either assets, attackers or the systems being built. Even the asset- and attacker-centered approaches had a way of scoping what are we working on. All had ways of addressing what can go wrong. These are the first two questions in my four-question frame; the others are what are we going to do about it, and did we do a good job?

The debt we owe to STRIDE is the idea that a model can give us a broadly applicable structure. That structure can go beyond just a single issue, such as "known plaintext" to multiple attacks. Now, if I'm using the known plaintext as an example, many readers will know that there's chosen plaintext, adaptive chosen plaintext, and more variants. But those attacks are centered on cryptosystems and do us little good outside it. I've used STRIDE on everything from operating systems to a single addition to a web service. It's broad in a way that its predecessors were not. 

The debt we owe STRIDE is also a debt that we owe Microsoft, for ongoing investments in tools, techniques, and software, and freely sharing much of that. 

Using STRIDE gives me the ability to understand the firehose of new attack variants and see them as small variants on other work. (For that, I use STRIDE and "memory corruption," which is enough for most attacks.)

We should celebrate having a model that started in the era of desktop computing and has survived into the age of mobile, cloud, and web, and shows few signs of becoming obsolete.

Related Content:        

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
4/8/2019 | 12:21:42 AM
Who can access?
Readers have one main concern and that is to know that they can have ready access to any data at any one time. Regardless of how revolutionary a piece of article could be, it would be deemed as useless should it be made available to everyone only a decade after or so. Content is important but access to it is even more crucial.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2002-0390
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.