tool / 65

STRIDE Threat Model

Microsoft's six-category framework for identifying threats during design — what they look like and how to defend.

All local
6/6
S — Spoofing
breaks Authentication

Pretending to be someone (or something) you're not — impersonating users, services or machines.

examples
  • Stealing a session cookie and using it to log in as another user
  • Forging an email From: header to look like it came from a trusted sender
  • DNS spoofing to direct traffic to a malicious server
defenses
  • Strong authentication (MFA, hardware tokens)
  • Signed tokens (JWT with strong signing key, mTLS for services)
  • Secure session management — short lifetime, rotate on auth events
T — Tampering
breaks Integrity

Modifying data or code in a way that breaks integrity guarantees.

examples
  • Editing a request body before it reaches the server
  • Swapping a downloaded binary with a malicious one
  • Changing a database row directly to bypass business logic
defenses
  • Hashes and digital signatures (HMAC, code signing)
  • Database constraints, audit logs, write-once stores
  • TLS to prevent in-transit modification
R — Repudiation
breaks Non-repudiation

A user denying they performed an action — and you can't prove they did.

examples
  • User claims they didn't click 'delete account' — no audit log to disprove it
  • Admin denies running a destructive command
  • Customer disputes a charge with no evidence trail
defenses
  • Immutable audit logging of every sensitive action
  • Cryptographic receipts (signed timestamps, blockchain-style hashes)
  • Multi-party logging — log to a system the user can't tamper with
I — Information Disclosure
breaks Confidentiality

Exposing data to people who shouldn't see it.

examples
  • Stack traces leaked in production responses
  • S3 bucket misconfigured to be public
  • Returning more user fields than the API documented
  • Side-channel attacks on timing or cache
defenses
  • Encrypt at rest and in transit (TLS, AES-GCM)
  • Principle of least privilege for data access
  • Strict serialization — never return raw DB models, use DTOs
  • Generic error messages in production
D — Denial of Service
breaks Availability

Making the system unavailable to legitimate users.

examples
  • Flooding an endpoint with requests until it crashes
  • Submitting a regex that causes catastrophic backtracking (ReDoS)
  • Uploading a 10TB file with no size cap
  • ZIP bomb that decompresses to terabytes
defenses
  • Rate limiting per IP and per user
  • Request size limits at the proxy / load balancer
  • Timeouts on every external call
  • CDN absorption + WAF for L7 attacks
E — Elevation of Privilege
breaks Authorization

Gaining access to capabilities you shouldn't have.

examples
  • A regular user accessing the admin panel by changing /user to /admin
  • Exploiting a vulnerability to run shell commands as root
  • JWT with `"alg": "none"` accepted by a misconfigured library
  • SQL injection escalating from read to write
defenses
  • Authorize on every request — server-side, never trust the client
  • Principle of least privilege — services and users get only what they need
  • Strict role checks, no implicit admin
  • Sandboxing, containers, seccomp filters