Join Adam Shostack for an in-depth discussion in this video STRIDE and the four question framework, part of Threat Modeling: Denial of Service and Elevation of Privilege.
- [Instructor] This course is part of a series on threat modeling and the STRIDE threats. At the heart of threat modeling are four incredibly simple questions. What are we working on, What can go wrong, What are we going to do about it, and, did we do a good job? These questions act as guideposts as you're threat modeling and analyzing how you're threat modeling. If you're not sure why you're doing the work that you're doing, tie it to one of these questions. STRIDE is a mnemonic for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. In this course, we're focused on the threats of denial of service and elevation of privilege. Of course, we're putting all the ofs in one course. More seriously, we're putting both in a single course to make the learning path a little shorter. For both threats, I'll be digging deep into the details of what can go wrong and what are we going to do about it. There are denial of service attacks against compute, storage, bandwidth, battery, and budget. There's elevation of privilege in every system complex enough to have privileges or permissions or users, pretty much in any running code that handles untrusted input or talks to something which does. And you'll learn structured ways of ensuring that your systems are both highly available, resisting denial of service attacks, and resilient against elevation of privilege attacks. Looking at these four questions with lenses for denial of service and elevation of privilege is the final part of the systematic structured and comprehensive approach to security that your customers deserve.