PASTA Threat Modeling for Cybersecurity | OWASP All Chapters 2020 Presentation
Ғылым және технология
How do you incorporate a risk-centric approach to your threat models and security program? How do you bring context to cybersecurity risks? How do you create a stronger business threat model or application threat model?
This webinar is an introduction into a risk-centric approach to threat modeling and PASTA Threat Modeling. PASTA threat model co-creator, Tony UcedaVélez, will walk you through what is PASTA and how to apply it to your own cyber security operations. We welcome all software and application developers, architects, and security professionals to join us in creating stronger threat models.
This presentation was part of the OWASP All Chapters Day 2020 as Cooking with PASTA and is also available on their channel here: • OWASP Chapters All Day...
// MORE PASTA RESOURCES AT VERSPRITE //
✦ Learn More About PASTA: versprite.com/security-offeri...
✦ Download an Excerpt From Tony’s Book on PASTA: versprite.com/security-testin...
✦ Blog - Threat Models as Blueprints for Threat Intelligence, Threat Data (SOCs): versprite.com/blog/threat-int...
// TIMESTAMPS //
00:00 - Welcome to Cooking with Pasta by Tony UcedaVélez
01:24 - Who is Tony UcedaVélez? Creator of PASTA Threat Modeling
02:23 - Presentation Overview
02:58 - What is the PASTA Threat Modeling Methodology? What is Application Risk?
04:07 - A Brief Breakdown of each of the PASTA methodology stages
08:50 - What is the Process for Attack Simulation & Threat Analysis (PASTA Threat Modeling) and what is its value?
10:55 - What are some of the supporting activities to PASTA? Integrating existing security efforts to PASTA stages.
11:51 - Stage 1: How to define the objectives of the business or application to create the threat model and incorporating governance and compliance.
15:42 - Stage 2: How to define the technical scope. Understanding the application attack surface and know what it is you’re protecting.
21:29 - Stage 3: How to break down application components (decomposition). This stage maps the relationship between components and answers, “How does this all come together?”.
26:27 - Stage 4: Threat Intelligence Consumption & Analysis. How to rethink detection response using context.
33:50 - Stage 5: Vulnerability Analysis and Weakness Analysis. How to map vulnerabilities/weakness to components of the application model that support the threat goals.
43:10 - Stage 6: The Attack Modeling Phase. How to build threat-inspired attack patterns and testing threats for viability.
50:39 - Stage 7: How to perform more effective residual risk analysis. Focusing on countermeasures that reduce risk to the application risk profile and overall business impact.
59:59 - Q&A and Farewells
// ABOUT TONY //
Tony UcedaVélez is the co-creator of the Process for Attack Simulation & Threat Analysis and the CEO of VerSprite. Tony has over 25 years of IT/InfoSec work across a vast range of industries. He is also the OWASP leader for Atlanta, GA.
Connect with Tony:
✦ LinkedIn: / tonyuv
✦ Twitter: / t0nyuv
// FIND VERSPRITE’S CYBERSECURITY TEAM ONLINE //
✦ VerSprite: versprite.com/
✦ LinkedIn: / versprite-llc
✦ Twitter: / versprite
✦ KZread: / @versprite
// ABOUT VERSPRITE //
VerSprite is a leader in operational risk management and security advisory services, enabling businesses to improve the protection of critical assets, ensuring compliance and managing risk. Our mission is to help you understand and improve your organization’s cybersecurity posture. With cyberattacks increasing in number and sophistication daily, it’s important to protect your organization’s assets, protect your clients and to maintain the same, great reputation and trust you’ve worked hard to build. We believe that an integrated approach will result in better and more cost-effective security practices and better business outcomes overall.
✦ Visit our website: versprite.com/
#threatmodeling #cybersecuritytraining #pastathreatmodel
Пікірлер: 21
Clear and comprehensive insight into PASTA. Greatly appreciated! Ty 👍
Thanks! very good ideas!
Informative !!
very iinformative video
Where is the formula in 53:24 from? Could you please explain again the logic behind it and how to use it?
Hey brother can you build threat model for an erp app
Hi,VerSprite.I have whatched you full video,and thank you so much for sharing this video! I wanna know if I could make a DFD diagram for a workflow which involves kinds of solftware,and then creating a Threat Model? I am looking foward to your answer~Thanks so much!
@VerSprite
2 жыл бұрын
Yes, DFD is one of the most important steps in Stage 3 PASTA threat modeling. The processing of DFD information will help you better understand the inputs, the outputs, and the many actions in between. We also have a blog on our website that does a deeper dive into PASTA. Feel free to skip to stage 3 for more info on DFD: versprite.com/blog/what-is-pasta-threat-modeling/
@tonyuv5062
Жыл бұрын
You can use PASTA to do an org threat model vs. an app threat model and process decomposition is stage 3 of org threat modeling. You can determine if the workflow around software development bears any weaknesses that could be altered by a threat actor to any entity executing on those workflows. Helpful when trying to take that PFD (Process Flow Diagram) to see where abuse cases could be unleashed to affect code quality, code integrity, affect downstream build processes and more.
very good presentation, can we do a single experiment or is it a free source to use it.
@VerSprite
2 жыл бұрын
ቅያ_Tube, thank you for watching. Here is a link to the PASTA ebook for reference. versprite.com/ebooks/leveraging-risk-centric-threat-models-for-integrated-risk-management/ Please feel free to use PASTA in your organizational threat modeling. If you need further assistance or just want to chat please feel free to contact us anytime. versprite.com/contact/
hey i have a class assignment on threat modelling,can you help me out?pls lets talk about it
@VerSprite
Жыл бұрын
Hello Sunday, thank you for reaching out. We have a lot of helpful threat modeling resources on our website. For example here is a RACI Diagram that shows the roll distrubition during each step of the threat model. versprite.com/blog/application-security/threat-modeling/versprite-pasta-threat-modeling-raci-diagram/
@VerSprite
Жыл бұрын
Here is a link to the PASTA threat modeling ebook for reference. versprite.com/ebooks/leveraging-risk-centric-threat-models-for-integrated-risk-management/
You just blew your credibility by saying that STRIDE is useless. Clearly you're way too biased and can't play nice with the other kids. Bye
@maciekstrzelecki8686
3 жыл бұрын
Dont let the door hit you on the way out! ;-)
@tonyuv5062
Жыл бұрын
I guess I like to be wrong. It's 2023 and using an immutable threat categorization from over 20 years ago is still useful in a world of extortion, persistence, cryptojacking that doesn't align to any of those 6 buckets. 🤡
please contact me for the assistance of threat modeling using mitre model
@VerSprite
2 жыл бұрын
Hi S Naz, would love to discuss this in further detail. Please provide me with your email address, or simply go to our contact page and fill out the form (versprite.com/contact/). Looking forward to connecting with you.
@afrahfathima8866
2 жыл бұрын
need some help regarding Threat modeling
@VerSprite
2 жыл бұрын
Hi@@afrahfathima8866would love to connect and help you with your Threat Model. Please provide your email address, or simply go to our contact page and fill out the form (versprite.com/contact/). Looking forward to helping you.