Skip to content

Commit 1d05c29

Browse files
authored
Merge pull request #205 from LLM-Coding/copilot/add-stride-anchor
feat: Add STRIDE threat model as a new semantic anchor
2 parents 521f8e6 + f1d3662 commit 1d05c29

4 files changed

Lines changed: 129 additions & 0 deletions

File tree

docs/anchors/stride.adoc

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
= STRIDE Threat Model
2+
:categories: testing-quality
3+
:roles: software-developer, software-architect, qa-engineer, devops-engineer, consultant, team-lead
4+
:related: owasp-top-10, regulated-environment
5+
:proponents: Loren Kohnfelder, Praerit Garg, Adam Shostack
6+
:tags: security, threat-modeling, appsec, risk, threats
7+
:tier: 3
8+
9+
[%collapsible]
10+
====
11+
Full Name:: STRIDE Threat Modeling Framework
12+
13+
Also known as:: STRIDE Threat Model, Microsoft STRIDE
14+
15+
[discrete]
16+
== *Core Concepts*:
17+
18+
Spoofing:: Impersonating another user, process, or system to gain unauthorized access; mitigated by strong authentication
19+
20+
Tampering:: Unauthorized modification of data in transit or at rest; mitigated by integrity controls, digital signatures, and access controls
21+
22+
Repudiation:: Denying that an action was performed when it actually was; mitigated by audit logging and non-repudiation mechanisms
23+
24+
Information Disclosure:: Exposing sensitive data to unauthorized parties; mitigated by encryption, access control, and data minimization
25+
26+
Denial of Service:: Disrupting or degrading availability of a system or service for legitimate users; mitigated by rate limiting, redundancy, and resilience
27+
28+
Elevation of Privilege:: Gaining capabilities or permissions beyond what is legitimately authorized; mitigated by least-privilege principles and authorization checks
29+
30+
Key Proponents:: Loren Kohnfelder and Praerit Garg (Microsoft, 1999); popularized by Adam Shostack ("Threat Modeling: Designing for Security", 2014)
31+
32+
[discrete]
33+
== *When to Use*:
34+
35+
* Performing structured threat modeling during software design and architecture reviews
36+
* Identifying and categorizing potential threats in security assessments
37+
* Training developers to think adversarially about system security
38+
* Prioritizing security controls and mitigations during system design
39+
* Conducting security design reviews and red-team exercises
40+
* Establishing a shared vocabulary for discussing security threats across teams
41+
42+
[discrete]
43+
== *Related Anchors*:
44+
45+
* <<owasp-top-10,OWASP Top 10>>
46+
* <<regulated-environment,Regulated Environment>>
47+
====

docs/anchors/stride.de.adoc

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
= STRIDE Bedrohungsmodell
2+
:categories: testing-quality
3+
:roles: software-developer, software-architect, qa-engineer, devops-engineer, consultant, team-lead
4+
:related: owasp-top-10, regulated-environment
5+
:proponents: Loren Kohnfelder, Praerit Garg, Adam Shostack
6+
:tags: security, threat-modeling, appsec, risk, threats
7+
8+
[%collapsible]
9+
====
10+
Vollständiger Name:: STRIDE Bedrohungsmodellierungs-Framework
11+
12+
Auch bekannt als:: STRIDE Bedrohungsmodell, Microsoft STRIDE
13+
14+
[discrete]
15+
== *Kernkonzepte*:
16+
17+
Spoofing (Identitätsvortäuschung):: Vortäuschung einer anderen Identität (Benutzer, Prozess oder System) zum Erlangen unbefugten Zugriffs; Gegenmaßnahme: starke Authentifizierung
18+
19+
Tampering (Manipulation):: Unbefugte Veränderung von Daten während der Übertragung oder Speicherung; Gegenmaßnahme: Integritätskontrollen, digitale Signaturen und Zugriffskontrollen
20+
21+
Repudiation (Abstreitbarkeit):: Abstreiten, eine Aktion durchgeführt zu haben; Gegenmaßnahme: Audit-Logging und Nicht-Abstreitbarkeitsmechanismen
22+
23+
Information Disclosure (Informationsoffenlegung):: Preisgabe vertraulicher Daten an unbefugte Parteien; Gegenmaßnahme: Verschlüsselung, Zugriffskontrolle und Datensparsamkeit
24+
25+
Denial of Service (Dienstverweigerung):: Beeinträchtigung oder Unterbrechung der Verfügbarkeit eines Systems für legitime Nutzer; Gegenmaßnahme: Rate Limiting, Redundanz und Resilienz
26+
27+
Elevation of Privilege (Rechteausweitung):: Erlangen von Berechtigungen über das legitim zugewiesene Maß hinaus; Gegenmaßnahme: Least-Privilege-Prinzip und Autorisierungsprüfungen
28+
29+
Schlüsselvertreter:: Loren Kohnfelder und Praerit Garg (Microsoft, 1999); verbreitet durch Adam Shostack („Threat Modeling: Designing for Security", 2014)
30+
31+
[discrete]
32+
== *Wann zu verwenden*:
33+
34+
* Strukturierte Bedrohungsmodellierung während Software-Design und Architektur-Reviews
35+
* Identifizierung und Kategorisierung potenzieller Bedrohungen bei Sicherheitsbewertungen
36+
* Schulung von Entwicklern im sicherheitsorientierten Denken über Systembedrohungen
37+
* Priorisierung von Sicherheitsmaßnahmen und Gegenmaßnahmen beim Systemdesign
38+
* Durchführung sicherheitsorientierter Design-Reviews und Red-Team-Übungen
39+
* Schaffung einer gemeinsamen Sprache für die Diskussion von Sicherheitsbedrohungen im Team
40+
41+
[discrete]
42+
== *Verwandte Anker*:
43+
44+
* <<owasp-top-10,OWASP Top 10>>
45+
* <<regulated-environment,Reguliertes Umfeld>>
46+
====

skill/semantic-anchor-translator/references/catalog.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,10 @@ Source: https://github.com/LLM-Coding/Semantic-Anchors
4242
- **Proponents:** International Electrotechnical Commission
4343
- **Core:** Safety integrity levels for safety-critical systems
4444

45+
### STRIDE Threat Model
46+
- **Proponents:** Loren Kohnfelder, Praerit Garg (Microsoft), Adam Shostack
47+
- **Core:** Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — structured threat categorization for security design
48+
4549
## Software Architecture
4650

4751
### Clean Architecture

website/public/data/anchors.json

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2084,6 +2084,38 @@
20842084
"tags": [],
20852085
"filePath": "docs/anchors/ssot-principle.adoc"
20862086
},
2087+
{
2088+
"id": "stride",
2089+
"title": "STRIDE Threat Model",
2090+
"categories": [
2091+
"testing-quality"
2092+
],
2093+
"roles": [
2094+
"software-developer",
2095+
"software-architect",
2096+
"qa-engineer",
2097+
"devops-engineer",
2098+
"consultant",
2099+
"team-lead"
2100+
],
2101+
"related": [
2102+
"owasp-top-10",
2103+
"regulated-environment"
2104+
],
2105+
"proponents": [
2106+
"Loren Kohnfelder",
2107+
"Praerit Garg",
2108+
"Adam Shostack"
2109+
],
2110+
"tags": [
2111+
"security",
2112+
"threat-modeling",
2113+
"appsec",
2114+
"risk",
2115+
"threats"
2116+
],
2117+
"filePath": "docs/anchors/stride.adoc"
2118+
},
20872119
{
20882120
"id": "swot",
20892121
"title": "SWOT",

0 commit comments

Comments
 (0)