I like STRIDE

14 February 2015

I just finished a week of hard work. Some application owners asked me to run a (short!) security assessment for a single sign-on module they use in their internal database applications.

With the help of an application manager and a copy of the PLSQL code I started developing a threat model. Thanks to the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) frame developed by Microsoft, I was able to get a good understanding of the system and its weaknesses.

Generally threat modeling does not include a review of the program code. But in this case a closer look at the code was very helpful for understanding of the information flows and for answering the questions posed by STRIDE.

I can only recommend to every system development project: Start threat modeling as early as possible to get the most of it. Software quality and system security will increase dramatically, at no more costs.

Happy Valentine’s Day!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s