Back in ’99, an engineer named Loren Kohnfelder wrote up “The Threats To Our Products” and gave security teams an acronym\u2014STRIDE\u2014we’ve leaned on ever since.<\/p>\n\n\n\n
Almost thirty years later, AI agents are reading inboxes, running code, and calling APIs on our behalf. And STRIDE fits them almost uncomfortably well.
I don’t think that’s luck. Kohnfelder was pointing at something underneath the tech!
How trust moves between systems. Agents might be the messiest trust problem we’ve ever shipped.<\/p>\n\n\n\n
\ud835\udddb\ud835\uddf2\ud835\uddff\ud835\uddf2’\ud835\ude00 \ud835\ude01\ud835\uddf5\ud835\uddf2 \ud835\uddf3\ud835\uddff\ud835\uddee\ud835\uddfa\ud835\uddf2\ud835\ude04\ud835\uddfc\ud835\uddff\ud835\uddf8, \ud835\uddee\ud835\uddfd\ud835\uddfd\ud835\uddf9\ud835\uddf6\ud835\uddf2\ud835\uddf1 \ud835\ude01\ud835\uddfc \ud835\uddee\ud835\uddf4\ud835\uddf2\ud835\uddfb\ud835\ude01\ud835\ude00:
\ud835\udde6 \u2014 \ud835\udde6\ud835\uddfd\ud835\uddfc\ud835\uddfc\ud835\uddf3\ud835\uddf6\ud835\uddfb\ud835\uddf4. Prompt injection. An attacker hides instructions in a doc or email the agent reads, dressed up to look like they came from you. The agent obeys, because it can’t always tell your instructions from theirs. (OWASP ranks this #1 for LLM apps.)<\/p>\n\n\n\n
\ud835\udde7 \u2014 \ud835\udde7\ud835\uddee\ud835\uddfa\ud835\uddfd\ud835\uddf2\ud835\uddff\ud835\uddf6\ud835\uddfb\ud835\uddf4. Poisoned data\u2014either in training or in a compromised API the agent trusts. Goes in upstream, shows up downstream in production.<\/p>\n\n\n\n
\ud835\udde5 \u2014 \ud835\udde5\ud835\uddf2\ud835\uddfd\ud835\ude02\ud835\uddf1\ud835\uddf6\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb. An agent fires off a purchase or edits a file autonomously, and the audit trail is patchy or missing. Something breaks and nobody can prove what happened. Accountability quietly evaporates.<\/p>\n\n\n\n
\ud835\udddc \u2014 \ud835\udddc\ud835\uddfb\ud835\uddf3\ud835\uddfc\ud835\uddff\ud835\uddfa\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb \ud835\uddd7\ud835\uddf6\ud835\ude00\ud835\uddf0\ud835\uddf9\ud835\uddfc\ud835\ude00\ud835\ude02\ud835\uddff\ud835\uddf2. Models can cough up training data when prompted right. And a long-running agent piling up context can be nudged into leaking it.<\/p>\n\n\n\n
\ud835\uddd7 \u2014 \ud835\uddd7\ud835\uddf2\ud835\uddfb\ud835\uddf6\ud835\uddee\ud835\uddf9 \ud835\uddfc\ud835\uddf3 \ud835\udde6\ud835\uddf2\ud835\uddff\ud835\ude03\ud835\uddf6\ud835\uddf0\ud835\uddf2. Inference costs real money. Force an agent into a loop and you get both downtime and an ugly cloud bill. MITRE ATLAS calls it “Cost Harvesting.”<\/p>\n\n\n\n
\ud835\uddd8 \u2014 \ud835\uddd8\ud835\uddf9\ud835\uddf2\ud835\ude03\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb \ud835\uddfc\ud835\uddf3 \ud835\udde3\ud835\uddff\ud835\uddf6\ud835\ude03\ud835\uddf6\ud835\uddf9\ud835\uddf2\ud835\uddf4\ud835\uddf2. Agents get broad permissions to stay useful. A prompt injection can ride those permissions and do anything the deploying user could. Most agents in production are wildly over-privileged.<\/p>\n\n\n\n
The threats aren’t a new shape. They’re just harder to spot, because agents behave probabilistically. You can’t read the source and point at the bug\u2014you have to poke the thing and see what falls out.
That’s exactly why the old frameworks earn their keep: they hand you the right questions even when the system’s a black box.<\/p>\n","protected":false},"excerpt":{"rendered":"Back in ’99, an engineer named Loren Kohnfelder wrote up “The Threats To Our Products” and gave security…","protected":false},"author":1,"featured_media":1039,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"csco_singular_sidebar":"","csco_page_header_type":"","csco_page_load_nextpost":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-1038","post","type-post","status-publish","format-standard","has-post-thumbnail","category-uncategorized","cs-entry"],"_links":{"self":[{"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/posts\/1038","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newweblife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1038"}],"version-history":[{"count":1,"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/posts\/1038\/revisions"}],"predecessor-version":[{"id":1040,"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/posts\/1038\/revisions\/1040"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newweblife.com\/index.php?rest_route=\/wp\/v2\/media\/1039"}],"wp:attachment":[{"href":"https:\/\/newweblife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newweblife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newweblife.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}