The simplest way to apply the STRIDE model to your application is to consider how each of the threats in the model affects each Commerce Server component and each of its connections or relationships with other application components. Essentially, you look at each part of the application and determine whether any threats that fall into the S, T, R, I, D, or E categories above exist for that component or process. Most parts will have numerous threats, and it is important that you record all of them.
Following are some sample threats to a Web site. Note that this is a highly abridged list. In a two-hour threat-analysis meeting you will likely be able to identify 20 to 40 security threats.
- Threat #1 A malicious user views or tampers with personal profile data en route from the Web server to the client or from the client to the Web server. (Tampering with data/Information disclosure)
- Threat #2 A malicious user views or tampers with personal profile data en route from the Web server to the COM component or from the component to the Web server. (Tampering with data/Information disclosure)
- Threat #3 A malicious user accesses or tampers with the profile data directly in the database. (Tampering with data/Information disclosure)
- Threat #4 A malicious user views the Lightweight Directory Access Protocol (LDAP) authentication packets and learns how to reply to them so that he can act "on behalf of" the user. (Spoofing identity/Information disclosure/Elevation of privilege [if the authentication data used is that of an administrator])
- Threat #5 A malicious user defaces the Web server by changing one or more Web pages. (Tampering with data)
- Threat #6 An attacker denies access to the profile database server computer by flooding it with TCP/IP packets. (DoS)
- Threat #7 An attacker deletes or modifies the audit logs. (Tampering with data/Repudiation)
- Threat #8 An attacker places his own Web server on the network after killing the real Web server with a distributed DoS attack. (Spoofing identity; in addition, a particularly malicious user could instigate all threat categories by stealing passwords or other authentication data, deleting data, and so on.)