Activity: Understanding STRIDE
The STRIDE framework is useful to reason about potential threats in a threat modeling session. STRIDE is an acronym that stands for six different threat categories – spoofing (S), tampering (T), Repudiation (R), Information Disclosure (I), Denial of Service (D), and Escalation of Privilege (E).
Steps
To get started, download the starter code.
In this activity we will understand the meaning of the threats in the STRIDE framework by looking at code examples which are vulnerable to these threats. The examples are listed in the directories spoofing, tampering, repudiation, infodisclosure, dos, and privEscalation. Each threat directory has two examples – an insecure web server program that illustrates the threat and the secure version that demonstrates how to prevent the threat. Further, each directory has an accompanying markdown file explaining the threat and how it manifests in the examples along with steps to reproduce the attack.
What do you have to do?
Review the markdown files in each threat directory. Perform the steps in the For you to do sections in each threat directory to see how the threat manifests in action to check your understanding.
When you are done, create a single {combined} text file to submit your work (see canvas assignment for any additional instructions, if assigned). This may vary from section to section.
Grading Rubric
- +2 point for each of the threats. Submit any 5. Total grade is up to 10 points.