DevSecOps, Threat Modeling and You: Get started using the STRIDE method
Nowadays more and more DevOps teams are starting to shift towards DevSecOps. The security aspect in Software Engineering is now crucial and fundamental taking into account the world we live in. No longer we can simply rely on Infosec departments to get involved in a later phase and help to improve the system security. It needs to be considered from the get-go by the same people creating and developing the system as a basic element (similar to the infrastructure, CI/CD, etc).
In this context, Threat Modeling sessions are becoming more and more popular among Engineering teams. In DevSecOps, it is one of the cornerstones and must-have regular practices that any team needs to establish.
While there are many different ways to do Threat Modeling, STRIDE is by far my favourite method to use in these sessions. I find it very complete and yet really easy to iterate with groups of different sizes. In fact, you can even use it by yourself when designing a new system to guide and validate your own thinking.
In short, STRIDE is an acronym for the following terms:
What does this mean?
Spoofing — pretend to be something or someone you are not
Tampering — manipulate/change information you are not…
