EXPLORING THE SEVEN STAGES AND EMBEDDED THREAT MODELING ACTIVITIES

“Knowing your own darkness is the best method for dealing with the darkness[es] of other people.”

Carl Gustav Jung, Swiss Psychiatrist

Knowledge is power. This is greatly exemplified in developing good and reliable software. At a basic level, poorly developed software compromises generally excludes an adequate SLDC process. As the SLDC process aims to ensure that requirements and design patterns are incorporate, PASTA aims to ensure that those are devoid of risk. Power comes from the knowledge of knowing what coding errors exist prior to a production release. Ignorance is not knowing what weaknesses and vulnerabilities are actually exploitable via abuse cases. As hindsight is always 20/20 in the world of insecure software, PASTA provides the ability to create security foresight.

The following section will now walk-through the PASTA process in the context of a newly forming application going through a generic, waterfall, SDLC methodology. For this example, we will assume a simplified version of Agile SDLC methodology. Regardless of the flavor of SDLC used, threat modeling applications should run parallel to such a process in order to integrate into the generic definition, design, development, and testing phases of software development. The following depiction of the various stages of PASTA is intended to highlight what efforts should take place in conjunction with a developing ...