What Security Means
Security means that the systems have the properties of confidentiality, integrity, and availability, that users are authenticated and authorized correctly, and that transactions are non-repudiable.
The following explains each property.
- Confidentiality - Data is only available to the people intended to access it.
- Integrity - Data and system resources are only changed in appropriate ways by appropriate people.
- Availability - Systems are ready when needed and perform acceptably.
- Authentication - The identity of users is established (or you’re willing to accept anonymous users).
- Authorization - Users are explicitly allowed or denied access to resources.
- Nonrepudiation - Users can’t perform an action and later deny performing it.
The following maps threats to the properties that guard against them.
- Spoofing - Authentication
- Tampering - Integrity
- Repudiation - Non-repudiation
- Information disclosure - Confidentiality
- Denial of service - Availability
- Elevation of privilege - Authorization
Adopted from Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach.