CHAPTER 7DIVING DEEPER INTO PASTA
EXPLORING THE SEVEN STAGES AND EMBEDDED THREAT MODELING ACTIVITIES
“Knowing your own darkness is the best method for dealing with the darkness[es] of other people.”
Carl Gustav Jung, Swiss Psychiatrist
Knowledge is power. This is greatly exemplified in developing good and reliable software. At a basic level, poorly developed software compromises generally excludes an adequate SLDC process. As the SLDC process aims to ensure that requirements and design patterns are incorporate, PASTA aims to ensure that those are devoid of risk. Power comes from the knowledge of knowing what coding errors exist prior to a production release. Ignorance is not knowing what weaknesses and vulnerabilities are actually exploitable via abuse cases. As hindsight is always 20/20 in the world of insecure software, PASTA provides the ability to create security foresight.
The following section will now walk-through the PASTA process in the context of a newly forming application going through a generic, waterfall, SDLC methodology. For this example, we will assume a simplified version of Agile SDLC methodology. Regardless of the flavor of SDLC used, threat modeling applications should run parallel to such a process in order to integrate into the generic definition, design, development, and testing phases of software development. The following depiction of the various stages of PASTA is intended to highlight what efforts should take place in conjunction with a developing ...
Get Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.