Some practitioners have suggested that STRIDE is too high level, and should be replaced with a more detailed list of what can go wrong. Insofar as STRIDE being abstract, they're right. It could well be useful to have a more detailed list of common problems.
A library of attacks can be a useful tool for finding threats against the system you're building. There are a number of ways to construct such a library. You could collect sets of attack tools; either proof-of-concept code or fully developed (“weaponized”) exploit code can help you understand the attacks. Such a collection, where no modeling or abstraction has taken place, means that each time you pick up the library, each participant needs to spend time and energy creating a model from the attacks. Therefore, a library that provides that abstraction (and at a more detailed level than STRIDE) could well be useful. In this chapter, you'll learn about several higher-level libraries, including how they compare to checklists and literature reviews, and a bit about the costs and benefits of creating a new one.
As stated earlier, there are a number of ways to construct an attack library, so you probably won't be surprised to learn that selecting one involves trade-offs, and that different libraries address different goals. The major decisions to be made, either implicitly or explicitly, are as follows:
Audience refers to whom the ...