# Threat Modeling Basics (STRIDE) One-sentence definition: Systematic identification of threats to assets and data flows, commonly using STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). ## Key Facts - Steps: define scope → decompose system → identify threats → rate → mitigate. - Use data flow diagrams (DFDs) and trust boundaries. - STRIDE maps to CIA and auth/accountability risks. - Prioritize mitigations based on risk and feasibility. - Integrate into SDLC and change processes. - **Label:** **Proactive** approach to reduce design risk. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify STRIDE category and pick a fitting control. **Mnemonic:** “STRIDE.” ## Mini Scenario Q: Login lacks MFA; which STRIDE threat and control? A: Spoofing; implement MFA and rate limiting. ## Revision Checklist - List STRIDE elements. - Describe trust boundary and why it matters. - Provide one mitigation per STRIDE item. ## Related [[Risk Management Lifecycle]] · [[Control Types and Categories]] · [[Attack Surface, Exposure, and Attack Vectors]] · [[Software Development Security]] · [[Security Architecture and Engineering]] · [[Domain 1 - Index]]