ExercisesSecurity Architecture Language › Threat Modelling Vocabulary

Threat Modelling Vocabulary

5 questions · Security Architecture Language

Vocabulary Reference

TermMeaning in context
STRIDEFramework classifying threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
SpoofingPretending to be someone or something else — e.g. forging a sender identity or impersonating a service.
RepudiationDenying that an action occurred; a threat when systems lack sufficient audit trails to prove actions took place.
Threat actorThe person, group, or automated system that might exploit a vulnerability — e.g. external attacker, malicious insider, nation-state.
Attack surfaceAll entry points and interfaces a threat actor could potentially target — APIs, UIs, open ports, admin consoles.
Threat-mitigation pairA documented entry linking each identified threat to the control or countermeasure designed to address it.
1. An attacker sends a password-reset email that appears to come from support@yourbank.com but actually originates from a spoofed domain. Under the STRIDE framework, which category does this threat belong to?
2. A user modifies a transaction amount in an API request after it has been validated by the front end. Under STRIDE, this unauthorised modification of data in transit is classified as:
3. A system processes financial transactions but stores no audit log of who performed each transaction. A user later denies making a transfer and the system cannot prove otherwise. Which STRIDE threat category does the missing audit log leave the system vulnerable to?
4. During a threat modelling session the team asks: "Who might want to attack this system, what are their capabilities, and what would motivate them?" They are profiling the:
5. After threat modelling the authentication module, the team writes: "Threat: an attacker with a stolen token can call admin APIs. Mitigation: enforce OAuth scope validation on every admin endpoint with automated test coverage." This paired entry is called:

Exercise complete!

out of 5 questions