1. Define Business Context of Application
This considers the inherent application risk profile and address other business impact considerations early in the SDLC or for given Sprint under Scrum activities.
2. Technology Enumeration
You can’t protect what you don’t know is the philosophy behind this stage. It’s intended to decompose the technology stack that supports the application components that realize the business objectives identified from Stage 1.
3. Application Decomposition
Focuses on understanding the data flows amongst application components and services in the application threat model.
4. Threat Analysis
Reviews threat assertions from data within the environment as well as industry threat intelligence that is relevant to service, data, and deployment model.
5. Weakness / Vulnerability Identification
Identifies the vulnerabilities and weaknesses within the application design and code and correlates to see if it supports the threat assertions from the prior stage.
6. Attack Simulation
This stage focuses on emulating attacks that could exploit identified weaknesses/vulnerabilities from the prior stage. It helps to also determine the threat viability via attack patterns.
7. Residual Risk Analysis
This stage centers around remediating vulnerabilities or weaknesses in code or design that can facilitate threats and underlying attack patterns. It may warrant some risk acceptance by broader application owners or development managers.
Allow us to tailor a PASTA application threat model for your application so you can effectively apply the risk-centric methodology within the regiment of their software security assurance process.
Modeling your application for threats helps to preemptively address security within your software development lifecycle. There's more to threat modeling than mapping a handful of threat categories to your application and building a data flow diagram. Learn how we can tailor the PASTA approach to fit your development timelines and maximize the output of application threat models.
1. It is a Methodology
If you’re looking for a process to follow, PASTA is designed for that. With seven phases with underlying activities in each phase, this approach is intended to guide new and experienced threat modelers across risk-centric application threat modeling activities.
PASTA not only looks at the variables of threat, vulnerability, countermeasures, and impact. Most importantly, it considers the probability of each variable and other supporting qualities like threat motives, current threat evidence, and countermeasure effectiveness.
Most threat modeling exercises simply include an audience of developers. This is a limited approach since developers depend on design, underlying infrastructure, managed corporate services (e.g. SSO, IAM, PKI, etc.), and the configuration of open frameworks. For this reason, architects, DevOps team members, systems engineers, business analysts, and SOC team members are also good candidates for collaborative threat modeling discussions under PASTA.
In the end, PASTA is focused on providing prescriptive guidance on the exploitable vulnerabilities that are of greater priority. The last phase, residual risk analysis, focuses on addressing security countermeasures to non-accepted application risks and providing remediation alternatives, all depending on the team’s risk impact considerations, threat likelihood, and cost of countermeasure implementation.
Concrete evidence around quantitative business impact values, threat information driven threat assertions, and attack trees with probability values on each branch help to denote threat likelihood.
6. Maturity Modeling Integration
Whether you have never done threat modeling before or are a team of security champions, the activities defined within each phase of PASTA can correlate to both BSIMM and OpenSAMM maturity models for secure software development programs. Inquire more on how you can track maturity over time with PASTA and these maturity models.
7. Pre-emptive Compliance
PASTA considers technical requirements for applications as part of its first stage since non-compliance can affect product assurance towards varying regulatory requirements.
Regardless of the type of engagement, VerSprite takes a complete manual approach for testing; automated testing is only an option for breadth of coverage or when necessary to complement certain tests. This guarantees a more in depth understanding of the target which ends up providing better quality results in terms of findings plus no false positives and real POCs for each of the issues found.
Define the Objectives
Define Business Objectives
Define Security Requirements
Define Compliance Requirements
Perform Preliminary Business Impact Analysis (BIA)
Define the Technical Scope
Capture the Application Boundaries
Identify the Application Dependencies From Network Environment
Identify the Application Dependencies from Servers -Services Infrastructure
Identify the Application Dependencies from Software
Decompose the Application
Data Flow Diagramming & Trust Boundaries
Identify Users & Actors, Roles and Permissions
Identify Assets, including Data as well as Hardware and Software
Identify Data Entry Points and Trust levels
Analyze the threats
Analyze Probabilistic Scenarios
Analyze Security Incident Reports and Fraud - Case Management Reports
Analyze Application and System Logs For Security Incidents and Fraud Cases
Correlate Security Incidents and Fraud with Threat Intelligence Source-Feeds
Vulnerabilities & Weaknesses Analysis
Correlate Vulnerabilities to Assets
Map Threat-Attacks to-Vulnerabilities Using Threat Trees
Map Threat To Security Flaws Using Use and Abuse Cases
Enumerate and Score Vulnerabilities
Model The Attacks
Identify Application Attack Surface
Derive Attack Trees For Threats and Targets-Assets in Scope
Map Attacks and Attack Vectors To Nodes of Attack Trees
Identify Exploits and Attack Paths Using Attack Trees
Risk and Impact Analysis
Quality and Quantity Business Impact
Identify Gaps in Security Controls / Countermeasures
Determine Residual Risks and Impacts
Identify Risk Mitigation Strategies