“Tell me and I forget. Teach me and I remember. Involve me and I learn.”
In this chapter, we show how to use the PASTA risk-centric threat modeling process to analyze the risks of specific threat agents targeting a web applications and specifically the web application assets that include customer's confidential data and business critical functionality that the web application provides. Among the web application assets in scope for the protection of threats, we will also consider information technology assets such as the application software components, applications, systems, and services where this software is installed and run. The goal of this risk-centric threat modeling exercise is to determine the technical and business impact of opportunistic and targeted threat actors against the web application assets and to recommend protective and detective security controls that can be designed, implemented, and deployed to protect the web application assets from these threats and reduce the risk to the organization/business, that is, responsibility to either own or manage the web application assets.
Throughout this chapter, we will use NIST National Institute for Standards and Technology terminology and standard definitions for threats, vulnerabilities, attacks, and risks as well as NIST standard definitions for risk management activities such as threat analysis and risk management. Note: Refer to the ...