STRIDE has not aged well…
I’ve seen first-hand the thick PDFs and Excel files that my clients have had delivered to them by consultants. Those docs have about a million data flow diagrams, giant tables with columns spanning over multiple pages, and a bunch of unactionable data.
Software engineers and hackers both move much faster than in the past. A list of high-level threats is not really useful when it comes to agile secure software development, because exploitable attack vectors are usually down in the weeds. It’s the detail that is missing from STRIDE reports, despite the huge amount of documentation.
What can we do instead?
I’ve been favouring Attack Modeling over Threat Modeling for some time now. It has only 3 steps:
Attack modeling cuts the documentation significantly, and produces relevant, actionable data with none of the fluff.
Another bonus? The Attack Register can be used as a scope for the pentest!
I’m Gene. I use my software engineering and red team experience to drive security uplift initiatives. Most recently I led the offensive …
More
Everyone? I’m not so sure… Imagine the early 2000s… Britney Spears is playing on …
This Attack Model maps potential attack vectors in …
A few years ago I was brought in to help with …
Let me tell you a story… A few years ago, I was …
The news of Hezbollah agents being targeted with …