STRIDE Threat Model Template
What are we working on?
Directions: fill out the information below to the best of your ability.
Input text: high level description of the project and what is being designed
Add at least one visual dataflow diagram that shows process flows between different entities in the system
If additional information is needed to understand the flow, include additional diagrams or information here. The goal of this section is to capture the documentation needed to accomplish building a successful threat model. If it is discovered later that additional information is required, ensure the “What are we working on?” section is updated with the latest information.
What can go wrong?
STRIDE reminders
| Mnemonic Threat | Definition | Question |
|---|---|---|
| Spoofing | The ability to impersonate another user or system component to gain unauthorized access. | Is the user who they say they are? |
| Tampering | Unauthorized alteration of data or code. | Has the data or code been modified in some way? |
| Repudiation | The ability for a system or user to deny having taken a certain action. | Is there enough data to “prove” the user took the action if they were to deny it? |
| Information Disclosure | The over-sharing of data expected to be kept private. | Is there anywhere where excessive data is being shared or controls are not properly in place to protect private information? |
| Denial of Service | The ability for an attacker to negatively affect the availability of a system. | Can someone, without authorization, impact the availability of the service or business? |
| Elevation of Privilege | The ability for an attacker to gain additional privileges and roles beyond what they initially were granted. | Are there ways for a user, without proper authentication (verifying identity) and authorization (verifying permission) to gain access to additional privileges, either through standard (normally legitimate) or illegitimate means? |
To complete the STRIDE table below, apply the questions above to each of the interactions in the data flow diagram between different entities. There should be at least one issue identified for each of S, T, R, I, D, and E. Make sure to uniquely identify them, so they are easier to track in the next step.
Threat table
| Threat | Issues |
|---|---|
| Spoofing | Spoof.1 - Description of at least one spoofing issue |
| Tampering | Tamper.1 - Description of at least one tampering issue |
| Repudiation | Repudiate.1 - Description of at least one repudiation issue |
| Information Disclosure | Info.1 - Description of at least one information disclosure issue |
| Denial of Service | DoS.1 - Description of at least one denial of service issue |
| Elevation of Privilege | Elevation.1 - Description of at least one elevation of privilege issue |
What are we going to do about it?
To complete the table below, design or identify mitigations that can address each of the issues identified. Alternatively, the risk may be documented and corporately accepted by the business.
| Threat | Issues |
|---|---|
| Spoofing | Spoof.1.R.1 - Description of the first remediation for this issue. Oftentimes, there may be more than one singular remediation required to fully address an issue. Ensure sufficient detail is provided to fully mitigate or remediate the issue. Spoof.1.R.2 - Second remediation step for the first Spoofing issue, etc. |
| Tampering | Tamper.1.R.1 - Description of the first remediation for this issue. Oftentimes, there may be more than one singular remediation required to fully address an issue. Ensure sufficient detail is provided to fully mitigate or remediate the issue. |
| Repudiation | Repudiate.1.R.1 - Description of the first remediation for this issue. Oftentimes, there may be more than one singular remediation required to fully address an issue. Ensure sufficient detail is provided to fully mitigate or remediate the issue. |
| Information Disclosure | Info.1.R.1 - Description of the first remediation for this issue. Oftentimes, there may be more than one singular remediation required to fully address an issue. Ensure sufficient detail is provided to fully mitigate or remediate the issue. |
| Denial of Service | DoS.1.R.1 - Description of the first remediation for this issue. Oftentimes, there may be more than one singular remediation required to fully address an issue. Ensure sufficient detail is provided to fully mitigate or remediate the issue. |
| Elevation of Privilege | Elevation.1.R.1 - Description of the first remediation for this issue. Oftentimes, there may be more than one singular remediation required to fully address an issue. Ensure sufficient detail is provided to fully mitigate or remediate the issue. |
Did we do a good job?
-
Has the data flow diagram been referenced since it was created?
-
Did the STRIDE model uncover any new design issues or concerns that had not been previously addressed or thought of?
-
Did the treatments identified in the “What are we going to do about it” section adequately address the issues identified?
-
Have additional issues been found after the threat model?
-
Any additional thoughts or insights on the threat modeling process that could help improve it next time?