Threat Modelling Vocabulary
Vocabulary Reference
| Term | Meaning in context |
|---|---|
| STRIDE | Framework classifying threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. |
| Spoofing | Pretending to be someone or something else — e.g. forging a sender identity or impersonating a service. |
| Repudiation | Denying that an action occurred; a threat when systems lack sufficient audit trails to prove actions took place. |
| Threat actor | The person, group, or automated system that might exploit a vulnerability — e.g. external attacker, malicious insider, nation-state. |
| Attack surface | All entry points and interfaces a threat actor could potentially target — APIs, UIs, open ports, admin consoles. |
| Threat-mitigation pair | A documented entry linking each identified threat to the control or countermeasure designed to address it. |
1. An attacker sends a password-reset email that appears to come from support@yourbank.com but actually originates from a spoofed domain. Under the STRIDE framework, which category does this threat belong to?
2. A user modifies a transaction amount in an API request after it has been validated by the front end. Under STRIDE, this unauthorised modification of data in transit is classified as:
3. A system processes financial transactions but stores no audit log of who performed each transaction. A user later denies making a transfer and the system cannot prove otherwise. Which STRIDE threat category does the missing audit log leave the system vulnerable to?
4. During a threat modelling session the team asks: "Who might want to attack this system, what are their capabilities, and what would motivate them?" They are profiling the:
5. After threat modelling the authentication module, the team writes: "Threat: an attacker with a stolen token can call admin APIs. Mitigation: enforce OAuth scope validation on every admin endpoint with automated test coverage." This paired entry is called:
Exercise complete!
out of 5 questions