π¦ STRIDE vs ASVS equivalence table
The purpose of this repository is to set a bridge between Threat Modeling and the security controls definition by providing an equivalence table that maps the STRIDE model against the Application Security Verification Standard (ASVS) chapters.
In the Security Requirement Engineering process, we commonly use techniques like Threat Modeling (along with frameworks such as STRIDE, LINDUNN or PASTA) to identify threats to which the system is exposed. Once we have identified those threats, we need to mitigate them by defining security controls.
The third step of the Rapid Threat Modeling Prototyping (RTMP) methodology is Mitigations [^1]. Its goal is to define at least one mitigation for each STRIDE threat identified in the previous steps. In that section, it also provides a table that lists the elements of the OWASP Top 10 (OT10) mapped to STRIDE elements.
Potential improvements:
To address the second issue, Mario Platt (@mario-platt) contributed to the repository by creating an Excel called STRIDE-OT10-CWE-OPC-ASVS, that not only maps STRIDE against ASVS but also with CWE, OWASP Proactive Controls and OWASP Top 10. [^2]
Potential improvements:
Finally, I have minor disagreements in some of the categorizations proposed, so in this repository, I will try to address the improvements mentioned above with a brand new STRIDE vs ASVS equivalence table.
STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories. It was initially created as part of the process of threat modelling. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows, and trust boundaries. Today it is often used by security experts to help answer the question "what can go wrong in this system we're working on?".
Each threat is a violation of a desirable property for a system [^4]:
Threat | Icon | Description | Desired property |
---|---|---|---|
Spoofing | π | Accessing and use of another userβs credentials, such as username and password | Authenticity |
Tampering | π€‘ | Intending to maliciously change or modify persistent data, such as records in a database, and the alteration of data in transit between two computers over an open network, such as the Internet | Integrity |
Repudiation | π | Performing prohibited operations in a system that lacks the ability to trace the operations | Traceability [^5] |
Information disclosure | π | Intending to read a file that one was not granted access to, or to read data in transit | Confidentiality |
Denial of Service | π₯ | Attempting to deny access to valid users, such as by making a web server temporarily unavailable or unusable | Availability |
Elevation of Privilege | π | Intending to gain privileged access to resources in order to gain unauthorized access to information or to compromise a system | Authorization |
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
The primary aim of the project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:
The following table has an equivalence between STRIDE threats and ASVS chapters: π STRIDE-vs-ASVS-4.0.csv π
Short name | Reference | Author | Description |
---|---|---|---|
RTMP | HOWTO-Rapid Threat Model Prototyping book | Geoffrey Hill, Tunamatic | Threat Modeling methodology |
STRIDE-OT10-CWE-OPC-ASVS | STRIDE-OT10-CWE-OPC-ASVS excel | Mario Platt | Equivalence matrix between STRIDE and other standards |
ASVS | Application Security Verification Standard v4.0.3 | OWASP | Standard for testing web applications |
[^1]: HOWTO-Rapid Threat Model Prototyping, page 17 [^2]: It is the primary source of inspiration for this repository. [^3]: Extracted from https://en.wikipedia.org/wiki/STRIDE_(security) [^4]: Extracted from https://owasp.org/www-community/Threat_Modeling_Process#stride-threat-list [^5]: Commonly referenced as "non-repudiation", but IMHO it's self-referential and not very descriptive. [^6]: Extracted from https://owasp.org/www-project-application-security-verification-standard/