Threat Analysis Using STRIDE

File: misc/stride.txt (or .pdf)

Work with a partner or on your own. A partner would be more fun, and would probably generate a wider range of threat ideas.

Goals

Read about threat modeling basics
Practice thinking about a variety of types of threats in a scenario
Get familiar with one common threat modeling framework (STRIDE)

Rubric

1 - author name(s) 6 - at least one threat in each STRIDE category 2 - thoroughness of exploration of the scenario's attack surfaces 3 - clear descriptions and appropriate categorization of the threats

In this assignment, you will perform a STRIDE-based analysis of a security scenario.

In a security certification course or something similar, there would doubtless be a strict set of rules for structuring and formatting your threat analysis. My pedagogical goals for this assignment, however, are not to turn you into certified threat modelers, but rather to get you into the habit of thinking in a structured way about threats. Though STRIDE does get you into some "thinking like an attacker," it is more focused on security at the system design stage rather than on reactive defense in the face of attacks. By analyzing your system's structure, you can try to build security into the system from the start.

The scenario

OK, I want to say just one word to you. Are you listening? Here's the word: tapirs.

Keep this secret, because I don't want the competition to get the jump on me. But you know how for a while pandas were all the rage, and you had beanie-pandas and panda mugs and panda-monium t-shirts and pandas all over TikTok? That was just a couple years ago, like 1988 or something. Well, I'm pretty sure that the next big thing is gonna be (shhh!) tapirs!

Here's my vision. We put together a social network so people can talk about tapirs, post their favorite tapir pictures, tapir facts, tapir questions, tapir gossip, and (of course) tapir fanfic! Everybody will make an account, we'll get the buzz going, and we'll sell all the tapir swag—tapir travel mugs, tapir masks, tapir notebooks, tapir wall decals, tapir-scented candles, tapir sump pups, and tapir mousepads (all the Gen-Z's use mousepads, right? tapirpads!). It's a can't-miss idea! Call the venture capitalists! Alert Y-combinator! Prepare the TED talk! Two TED talks!

But of course, here at Tapirs Unlimited, we care first and foremost about our customers' safety. So...could you help me think about security?

Your job

This is where you come in. You're going to do a STRIDE analysis of Tapirs Unlimited. Our users will require privacy and confidentiality, data integrity, service availability, etc., so threats to any of those attributes of the system need to be identified and (if possible) mitigated.

The service will consist of:

A database server, listening at port 5432 on a computer in my home office. I'll pay for a static IP address (i.e., one that's always the same) for my home network. The database will contain user account information (including names, passwords, addresses, credit cards, tapir descriptions and locations, photos, videos, etc.).
A web server, listening at ports 80 (HTTP) and 443 (HTTPS) on a server hosted by the cloud hosting company Linode. The web server supports normal web pages, user login, API access to tapir-related data, tapir chat logs, etc., all implemented in PHP using the postgresql database management system. This web server accesses the database server as needed to support the many features of Tapirs Unlimited.
A web client (i.e., web pages served from the web server, supporting all the features of the service, optimized for phone, tablet, and desktop).
Client apps for iOS and Android that access the HTTP-based API on the web server supporting the apps' features.

What to hand in

A data flow diagram for the system. There's a good introduction to data flow diagrams on pages 9-13 of this short intro to threat modeling. Your diagram can be a digital drawing, a photo of a clear hand-drawn diagram, or (if you don't have enough to do with your time) ASCII art.
A list of threats and their corresponding mitigations, labeled by which element of STRIDE the threat corresponds to. For example, one threat might be "eavesdropper on user's network reads user's interaction with the TU web server" and its corresponding mitigation might be "all interactions with the TU server occur over HTTPS." The STRIDE label for this threat would be I (information disclosure). You can submit your list in tabular form, or as a bulleted or numbered list, or something similar. Make sure it's easy to read.

Include in your list as many realistic threats as you can think of, with at least one or two in each STRIDE category. If you think of threats that don't seem to fit in any of the STRIDE categories, go ahead and include them in a separate "Other" category.

Have fun! (And don't be shy about brainstorming lots of possibilities.)