STRIDE

 S - Spoofing, identity steal, pretending to be someone else

T - Tampering - changing data, permissions, system access etc

R - Repudiation -  injecting data that will be not valid for service - to protect use schema validation for instance

I - Information disclosure - capturing some part of the system and listen to requests, for instance hacker subscribe to an events service that send confidential data to all subscribers  - to protect we can implement zero trust model, meaning that each part of the system (i.e microservice) will only trust verified users/services with valid tokens etc.

D - Denial of service - flooding the service with lots of request results in system not being able to fulfill request leading to delays/failures in response

E - Escalation of privilege - Performing actions that the currently authenticate user does not have permissions to

Comments

  1. I just wanted to thank you for sharing your blog post on how to be a good developer! It's really helpful to understand how to do the right things and avoid the wrong things when you're a developer. This article really helped me out and I'm glad I found it!
    Learn C#

    ReplyDelete

Post a Comment