Walk me through how you would threat-model a new microservice using STRIDE.

STRIDE is a threat categorisation mnemonic: Spoofing (pretending to be someone else), Tampering (altering data), Repudiation (denying actions), Information Disclosure (leaking data), Denial of Service (crashing/overloading), Elevation of Privilege (gaining more access than granted).

Process: (1) Draw a data-flow diagram — map every component, data store, and trust boundary (e.g. browser → API server → DB). (2) For each element and each data flow, enumerate which STRIDE categories apply. (3) Rate each threat by likelihood × impact (or use the DREAD scoring model). (4) Map mitigations: authentication for Spoofing; HMAC/signatures for Tampering; audit logs for Repudiation; encryption for Information Disclosure; rate-limits/quotas for DoS; authorization + least-privilege for Elevation of Privilege. (5) Track identified threats as security requirements or backlog tickets so nothing is forgotten.