Making Web Security PASTA – BSidesATL 2011

Discover & Attack Vulnerabilities

Process for Attack Simulation & Threat Analysis (PASTA) is an asset centric (or risk-based) threat modeling methodology that connects the security dots within a given SDLC - those dots being how to discover vulnerabilities, attack them, apply the right countermeasures, and more.

Application Security Assessments

Today’s application assessment options are both misunderstood and misapplied when assessing web applications or any application environment.

Often times, traditional security tools and testing methods seem to compete with one another instead of supporting a common goal, especially when trying foster a’ build security in’ doctrine.

This concept of building security in has been spoken of for some time and no real traction has taken place among various adopters, even with the information and support around frameworks such as the Software Assurance Maturity Model (SAMM) and Building Security-In Maturity Model (BSIMM), adoption is slower than anticipated.

The outlined process will provide a way in which BSIMM or SAMM can be sustained, via an anchored and repeatable threat modeling process.

Learn the PASTA Threat Modeling Process

Watch the video below to learn the PASTA process and go through key exercises that related to application decomposition including but not limited to data flow diagramming, attack tree build outs, and countermeasure development.

BSidesATL 2011-Tony UcedaVelez-Making your own Web Security P.A.S.T.A from Security BSides on Vimeo.


Tony UcedaVélez

In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. Tony has consulted numerous global Fortune 500s organizations in both the private and public sector across a myriad of security disciplines ranging from security architecture and design to secure application development.

In addition, Tony has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta (2009).

He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance).

Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He is also serves on the OWASP Global Membership Board and regularly provides talks to other chapters nationwide, primarily on the topic of application threat modeling.

Subscribe for Our Updates

Subscribe for Our Updates

Please enter your email address and receive the latest updates.