You use details from the previous step in the STRIDE phase to identify threats relevant to your application scenario and context. With STRIDE, you can flawlessly identify what can go wrong.
STRIDE was developed by Microsoft to educate developers on how to think about computer security threats, and is an acronym for:
- Spoofing: can an attacker gain access using a false identity?
- Tampering: can an attacker modify data as it flows through the application?
- Repudiation: if an attacker denies doing something, can we prove he did it?
- Information disclosure: can an attacker gain access to private or potentially injurious data?
- Denial of service: can an attacker crash or reduce the availability on the system?
- Elevation of privilege: can an attacker assume the identity of a privileged user?
Each of these threats is the opposite of a property that you want your system to have. Spoofing – for example – is the opposite of authentication.