I recall someone asking to explain what you do at work, like you would explain a child, this got me thinking on how to simplify basic security concepts. Let me make an attempt.
Imagine you have a treasure chest full of valuable items like gold coins, jewelry, and precious gems. You want to keep this treasure safe from thieves who might try to steal it. Threat modeling is like making a plan to protect your treasure. It’s a way to think about all the different ways a thief might try to steal your treasure and come up with ways to stop them.
The STRIDE model is a special way to think about the different ways a thief might try to steal your treasure. Each letter in STRIDE stands for a different kind of threat:
- S stands for Spoofing, which means a thief might try to pretend to be someone else to trick you into giving them access to your treasure.
- T stands for Tampering, which means a thief might try to damage or change something to get to your treasure.
- R stands for Repudiation, which means a thief might deny that they stole your treasure and try to blame someone else.
- I stands for Information Disclosure, which means a thief might try to find out information about your treasure, like where it’s kept or how to get to it.
- D stands for Denial of Service, which means a thief might try to stop you from being able to get to your treasure.
- E stands for Elevation of Privilege, which means a thief might try to gain access to your treasure by pretending to have more power or authority than they really do.
By thinking about these different kinds of threats, you can come up with ways to protect your treasure. For example, you might decide to lock your treasure chest with a strong padlock to prevent tampering, or keep the key hidden to prevent information disclosure.
So, that’s what threat modeling with the STRIDE model is all about — thinking like a thief so you can keep your treasure safe!