Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/29/2019
10:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

20 Years of STRIDE: Looking Back, Looking Forward

The invention of STRIDE was the key inflection point in the development of threat modeling from art to engineering practice.

Today, let me contrast two 20-year-old papers on threat modeling. My first paper on this topic, "Breaking Up Is Hard to Do," written with Bruce Schneier, analyzed smart-card security.  We talked about categories of threats, threat actors, assets — all the usual stuff for a paper of that era. We took the stance that "we experts have thought hard about these problems, and would like to share our results."

Around the same time, on April 1, 1999, Loren Kohnfelder and Praerit Garg published a paper in Microsoft's internal "Interface" journal called "The Threats to our Products." It was revolutionary, despite not being publicly available for over a decade. What made the Kohnfelder and Garg paper revolutionary is that it was the first to structure the process of how to find threats.  It organized attacks into a model (STRIDE), and that model was intended to help people find problems, as noted:

The S.T.R.I.D.E. security threat model should be used by all MS products to identify various types of threats the product is susceptible to during the design phase. Identifying the threats is the first step in a proactive security analysis process.

STRIDE was not the first suggestion for a systematic approach. In his 1994 book, Fundamentals of Computer Security Technology, Ed Amaroso outlined a way to create threat trees, "starting with a general, abstract description of the complete set of threats that exists for a given system, and then introducing detail in an iterative manner, refining the description carefully and gradually."

The invention of STRIDE is the key inflection point in the development of threat modeling from art to engineering practice. By moving us from folk wisdom to structure, STRIDE unleashed a flood of work towards making threat modeling accessible to all engineers.

At Microsoft, the frames included:

  • Frank Swiderski and Window Snyder's Asset/Entry approach
  • J.D. Meier's Patterns and Practices
  • Shawn Hernan and Tomasz Ostwald's STRIDE per element, and
  • Adam Shostack's (my) breakdown of approaches by their focus on asset, attacker or software, and four-question framework (There were certainly others; these are illustrative.)

Asset/Entry is a model derived from the physical world. For example, imagine a burglar stealing your stereo. The stereo is your asset, and the windows, doors, and chimney are the entry points. You track from one to the other and consider controls, such as locks or alarms, that stop or detect an attacker. 

Patterns and Practices is a framework that Microsoft has used for talking about development and operations for quite a long time; I believe it predates threat modeling. Patterns and Practices is more descriptive: This is what people do. They draw diagrams like these. They find that spoofing threats tend to associate with account creation patterns…

STRIDE per Element noted that certain threats happen less for types of elements: data flows aren't spoofed (endpoints are); data stores are not subject to elevation of privilege.

Beyond Microsoft, over the past two decades, there has been a Cambrian explosion of tools.  Some are built on STRIDE, others not, but they all owe a debt to it.

That explosion, and my attempts to make sense of it led to an understanding that different approaches often centered on either assets, attackers or the systems being built. Even the asset- and attacker-centered approaches had a way of scoping what are we working on. All had ways of addressing what can go wrong. These are the first two questions in my four-question frame; the others are what are we going to do about it, and did we do a good job?

The debt we owe to STRIDE is the idea that a model can give us a broadly applicable structure. That structure can go beyond just a single issue, such as "known plaintext" to multiple attacks. Now, if I'm using the known plaintext as an example, many readers will know that there's chosen plaintext, adaptive chosen plaintext, and more variants. But those attacks are centered on cryptosystems and do us little good outside it. I've used STRIDE on everything from operating systems to a single addition to a web service. It's broad in a way that its predecessors were not. 

The debt we owe STRIDE is also a debt that we owe Microsoft, for ongoing investments in tools, techniques, and software, and freely sharing much of that. 

Using STRIDE gives me the ability to understand the firehose of new attack variants and see them as small variants on other work. (For that, I use STRIDE and "memory corruption," which is enough for most attacks.)

We should celebrate having a model that started in the era of desktop computing and has survived into the age of mobile, cloud, and web, and shows few signs of becoming obsolete.

Related Content:        

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
4/8/2019 | 12:21:42 AM
Who can access?
Readers have one main concern and that is to know that they can have ready access to any data at any one time. Regardless of how revolutionary a piece of article could be, it would be deemed as useless should it be made available to everyone only a decade after or so. Content is important but access to it is even more crucial.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .