PASTA

PASTA stands for The Process for Attack Simulation and Threat Analysis.

1. Define business objectives

• What’s important to your business?

2. Define the technical scope of assets and components

• Identify the attack surface. Look at configuration, databases, middleware, third-party components, etc. Document all of it.

3. Perform application decomposition

• Understand the relationship between the various components
• Understand use roles and permissions
• Data flow diagrams

4. Analyze threats
5. Detect vulnerabilities

• Identify issues by reviewing application architecture and by using scanning tools.

6. Analyze and model attacks

• Build attack trees: a diagram which shows how an asset can be targeted

7. Analyze risks or impacts and develop countermeasures