Stride Methodology in SDLC Security
All the applications we develop in this age face the constant threat of data insecurity. With data gaining more power, hackers and data manipulators are always on the lookout for sensitive data.
You will always have malicious attackers trying to steal the data from your application and systems. If you’re serious about data security, you need to frequently test your system for vulnerabilities and keep it secure.
Threat modeling is a way in which data security is managed by organizations across the globe. One of the famous methods of threat modeling is STRIDE methodology.
Let’s take a look at this methodology in this blog post. We will start by understanding what is STRID methodology followed by the different security standards.
Table of Contents
- What is STRIDE methodology?
- How popular is STRIDE methodology?
- Six categories of threat according to STRIDE methodology
- Verdict
What is STRIDE methodology?
Organizations are facing a lot of challenges when it comes to managing cyber threats. Most of them try to manage the threats with a set of threat modelling approaches. STRIDE is a threat modeling approach that helps you check the security status of your systems and applications. STRIDE translates to Spoofing, Tampering, Repudiation, Information Disclosure, Denial Of Service and Elevation of Privilege.
This represents six types of threat that can occur in your application within your organization. The main aim of this STRIDE is to ensure that all your applications are maintained and meet the security standards that are generally accepted in the business world.
All applications and software must meet the following safety and security standards inside an organization
- Confidentiality
- Integrity
- Availability
- Authentication
- Authorization
- Non- Repudiation
As a security professional, it is your responsibility to make sure that all your applications meet these criteria before being deployed in action. The financial repercussions of not meeting these factors can be devastating for your organization.
STRIDE methodology has one goal - to help you identify the weakness in your applications.
Hackers can use these weak points to steal data and damage the reputation of your organization. At times, you may also find your own employees stealing data and providing it to your competitors. Weak points also allow bugs to infiltrate your system and applications in no time.
STRIDE methodology can be a terrific way to test the weakness of your applications and make sure it cannot be broken through by internal or external entities.
How Popular is STRIDE methodology?
Here’s the short answer to this question - Yes, it is a very famous threat modeling methodology.
Here’s the long answer -
STRIDE modeling is a threat modeling methodology used by application developers in the Microsoft Development team. It was developed to help developers and security engineers analyze the threats in their applications.
There are six steps in STRIDE methodology and each one helps you identify the threat inside your applications and systems.
When you are able to identify threats with a repeatable process, you can plan your IT infrastructure and cybersecurity system needs with precision. In a sense of accuracy, STRIDE is one of the most famous threat modeling methodologies used by security engineers and developers.
STRIDE methodology can help you determine the following -
- A collection of all the threats that may arise in your system
- The methods and techniques used by attackers and insiders
- The goals of these hackers and the data points they might be targeting
- The infrastructure and resources needed to prevent these attacks
- The Cybersecurity measures need to tackle these attacks.
Six categories of threat according to STRIDE
Now that you have a solid understanding of STRIDE and how it will help you, let’s take a look at the six categories or approaches in it.
Spoofing
Spoofing involves the impersonation of a user to access their information. It may also include the impersonation of s specific system to gain access to data inside your application’s database. In Spoofing, the original user has no knowledge that the application is used with his credentials. The administrator may also have no clue about spoofing, as the access credentials are right for authentication.
This method is followed in systems which employ a very simple login procedure like a 5 digit password or the use of personal information like Date Of Birth. But spoofing is not a very technical process, as it has been applied to everything from emails, phone number and website logins to the IP Address of a computer.
Most times, you may not have a clue that you were spoofed even after data was leaked. This might be the easiest threat to perform and the hardest threat to track.
Tampering
Tampering involves the process of modifying the data on your applications and databases. This can be performed by external or internal entities who configure the data or worse - delete it. Tampering can be solved by creating a consistent backup process. A daily backup will make sure that your data can be retrieved to its original point after it has been tampered with.
Repudiation
It occurs when a user claims that they did not perform the malicious attack on your application and databases. They may claim to not have initiated or performed the attack when it is clear that they did.
Attackers or even your own employees can perform a malicious attack on your organization’s application and claim to have no connection to it. They can easily erase any track and throw away any connections they might have with the attack. They might modify the logs to throw you off track and make sure that they are never found to be guilty. Some attackers may also spoof the use of an authorized user to blame the attack on them.
Information disclosure
Your organization will always contain sensitive information that should not be disclosed to your users. Sometimes the data should also not be disclosed to most employees ( this will be determined based on their role and level of responsibility inside your organization ).
Here are some famous examples of information disclosure in Recent years
Microsoft
Customer support records of the past 14 years were left online without any password. This allowed almost everyone to access the database of customer support conversations and other sensitive information.
Data of Indian Citizens
Officials found sensitive information of more than 100,000 Indian citizens on a Mongolian database. This included sensitive information like name, phone number, age, job, salary and much more. This was reported in May 2019 by the Government of India.
Marriott International
In November of 2018, a group of hackers were able to steal sensitive information from the Marriott international group. It included a bunch of sensitive information like name of guests and their credit card numbers.
These are just some of the well-known events of information disclosure in recent years. There are still millions of unrecorded and unreported events in the history of organizations and governments.
Denial of Service
Denial of Service attacks are used by hackers to prevent the system or application from performing the service it was intended for. DoS attacks are performed by flooding your application with thousands of fake requests, making it inaccessible by your users. With so many fake requests, your systems will slow down and eventually crash. Hackers may not get access to data or any financial benefits with DOS attacks, but they will definitely cost you a ton of money and resources. Unavailability of your application can cause huge financial and reputational losses to your organization.
Elevation of privilege
This is an attack which involves an attacker to access something that they’re not allowed to do. The hacker may spoof another person or tamper with the access credentials to view information that they aren’t allowed to access. The most dangerous form of this attack is the elevation privilege where an attacker gains access to higher levels of authorization with consistent spoofing or tampering.
Verdict
Security is often an overlooked aspect in app development. Most developers and system engineers push strict security measures as their “ least priority “ when developing their applications. STRIDE methodology offers them a way to test these applications even after they have been designed and deployed. It offers an efficient way to model the most common threats and identify how you could make your app even better. If you’re looking to test an application that’s already been deployed, STRIDE will be a great choice.