handbook/templates/PASTA.md
2024-08-30 14:45:22 +02:00

20 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
| | |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Stages** | **Sneaker company** |
| I. Define business and security objectives | Make 2-3 notes of specific business requirements that will be analyzed.<br><br>- Will the app process transactions?<br> <br>- Does it do a lot of back-end processing?<br> <br>- Are there industry regulations that need to be considered? |
| II. Define the technical scope | List of technologies used by the application:<br><br>- Application programming interface (API)<br> <br>- Public key infrastructure (PKI)<br> <br>- SHA-256<br> <br>- SQL<br> <br><br> <br><br>Write 2-3 sentences (40-60 words) that describe why you choose to prioritize that technology over the others. |
| III. Decompose application | [Sample data flow diagram](https://docs.google.com/presentation/d/1ol7y79popTFfNHM-90ES-H-i1Lpd0YNvPShxBlXozjg/template/preview?resourcekey=0-DZAkf7Vzh2PXsP-j3oXV-g) |
| IV. Threat analysis | List 2 types of threats in the PASTA worksheet that are risks to the information being handled by the application.<br><br>- What are the internal threats?<br> <br>- What are the external threats? |
| V. Vulnerability analysis | List 2 vulnerabilities in the PASTA worksheet that could be exploited.<br><br>- Could there be things wrong with the codebase?<br> <br>- Could there be weaknesses in the database?<br> <br>- Could there be flaws in the network? |
| VI. Attack modeling | [Sample attack tree diagram](https://docs.google.com/presentation/d/1FmWLyHgmq9XQoVuMxOym2PHO8IuedCkan4moYnI-EJ0/template/preview?usp=sharing&resourcekey=0-zYPY7AhPJdcClXamlAfOag) |
| VII. Risk analysis and impact | List 4 security controls that youve learned about that can reduce risk. |
---