STRIDE, DREAD & PASTA Frameworks

STRIDE — six threat categories

Originally from Microsoft, STRIDE labels threats so you do not miss major classes. Below: mnemonic “icon” and an e-commerce example for each.

Spoofing — Attacker pretends to be someone else. Shop: stolen session cookie used to place orders as the victim.

Tampering — Unauthorized modification of data or code. Shop: price or cart totals altered in transit if integrity is weak.

Repudiation — User denies an action; no proof. Shop: dispute over payment without tamper-evident audit logs.

Information disclosure — Exposure of secrets or PII. Shop: API returns another customer’s order details (IDOR).

Denial of service — Availability attacks. Shop: checkout flood or inventory reservation abuse.

Elevation of privilege — Gaining unauthorized capabilities. Shop: customer API token reused to access admin refund endpoints.

Framework	Primary use	Output	Good fit when
STRIDE	Label threat types	Checklist of categories	Design reviews, DFDs, training devs
DREAD	Prioritize findings	Numeric / relative ranking	Comparing similar issues; discussion starter
PASTA	End-to-end risk process	Business-aligned risk cases	Mature programs, pen test integration