Cybersecurityknowledge~30 mins

Threat modeling (STRIDE, DREAD) in Cybersecurity - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Practice Challenge Project Recall Time

Threat Modeling with STRIDE and DREAD

📖 Scenario: You are part of a small software team building a new web application. To keep the app safe, you need to identify possible security threats and understand their risks.This project will guide you through creating a simple threat model using the STRIDE and DREAD frameworks.

🎯 Goal: Build a basic threat model by listing threats using STRIDE categories, assigning risk scores with DREAD factors, and calculating overall risk levels.

📋 What You'll Learn

Create a dictionary of threats categorized by STRIDE factors

Add a dictionary of DREAD scores for each threat

Calculate risk scores by multiplying DREAD factors for each threat

Add a final risk level classification based on the calculated scores

💡 Why This Matters

🌍 Real World

Threat modeling helps teams find and understand security risks early in software development to prevent attacks.

💼 Career

Security analysts and developers use STRIDE and DREAD to assess and prioritize threats, improving software safety.

Progress0 / 4 steps

Create STRIDE Threat Categories

Create a dictionary called stride_threats with these exact keys and example threats:

'Spoofing': ['Fake login'], 'Tampering': ['Modify data'], 'Repudiation': ['Deny actions'], 'Information Disclosure': ['Leak data'], 'Denial of Service': ['Crash service'], 'Elevation of Privilege': ['Gain admin access']

Cybersecurity

# Create the stride_threats dictionary with the given keys and example threats
# Your code here

Need a hint?

Use a dictionary with keys as STRIDE categories and values as lists of example threats.

Add DREAD Scores for Each Threat

Create a dictionary called dread_scores where each key is a threat name from stride_threats values and each value is another dictionary with DREAD factors: 'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2. Use these exact scores for all threats.

Cybersecurity

stride_threats = {
    'Spoofing': ['Fake login'],
    'Tampering': ['Modify data'],
    'Repudiation': ['Deny actions'],
    'Information Disclosure': ['Leak data'],
    'Denial of Service': ['Crash service'],
    'Elevation of Privilege': ['Gain admin access']
}
# Create the dread_scores dictionary with DREAD factors for each threat
# Your code here

Need a hint?

Use a dictionary where each threat name maps to another dictionary of DREAD factors with the given scores.

Calculate Risk Scores for Each Threat

Create a dictionary called risk_scores where each key is a threat name from dread_scores and the value is the product of all its DREAD factor scores. Use a for loop with variables threat and factors to iterate over dread_scores.items().

Cybersecurity

stride_threats = {
    'Spoofing': ['Fake login'],
    'Tampering': ['Modify data'],
    'Repudiation': ['Deny actions'],
    'Information Disclosure': ['Leak data'],
    'Denial of Service': ['Crash service'],
    'Elevation of Privilege': ['Gain admin access']
}

dread_scores = {
    'Fake login': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Modify data': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Deny actions': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Leak data': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Crash service': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Gain admin access': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2}
}

# Calculate risk_scores by multiplying all DREAD factors for each threat
# Your code here

Need a hint?

Use nested loops: outer loop over dread_scores items, inner loop to multiply factor values.

Classify Threats by Risk Level

Create a dictionary called risk_levels where each key is a threat name from risk_scores and the value is a string: 'High' if the risk score is 100 or more, otherwise 'Medium'. Use a for loop with variables threat and score to iterate over risk_scores.items().

Cybersecurity

stride_threats = {
    'Spoofing': ['Fake login'],
    'Tampering': ['Modify data'],
    'Repudiation': ['Deny actions'],
    'Information Disclosure': ['Leak data'],
    'Denial of Service': ['Crash service'],
    'Elevation of Privilege': ['Gain admin access']
}

dread_scores = {
    'Fake login': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Modify data': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Deny actions': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Leak data': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Crash service': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2},
    'Gain admin access': {'Damage Potential': 3, 'Reproducibility': 2, 'Exploitability': 4, 'Affected Users': 3, 'Discoverability': 2}
}

risk_scores = {}
for threat, factors in dread_scores.items():
    score = 1
    for value in factors.values():
        score *= value
    risk_scores[threat] = score

# Create risk_levels dictionary classifying threats as 'High' or 'Medium'
# Your code here

Need a hint?

Use a for loop over risk_scores items and an if-else to assign risk levels.