STRIDE / DREAD
STRIDE and DREAD are two ways of looking at security of a system.STRIDE is a way to classify security threats in terms of what can be done if an exploit is found, while DREAD tends to look at how likely and common the exploit can be.Both of these acronyms came out of Microsoft. Neither is a silver bullet for security, but it does offer a good framework about talking about security. Today, for instance, we were talking about some aspect of our system at work and seemed to be running into a roadblock about how to talk about it. A framework about what to think about was helpful to drive to a conclusion.Like I said... it doesn't solve problems by itself. It can, however, let you come to a common understanding about what the problem is.
- = -
STRIDE
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege
DREAD
- Damage
- Reproducibility
- Exploitability
- Affected users
- Discoverability