Skip to content

What is PASTA Threat Modeling?

Threat models are commonly employed by security experts to find vulnerabilities in applications, and specifically exploiting apps (mobile, IoT, etc.) for security reasons. Threat modeling lets you recognize security issues and design suitable countermeasures to prevent them from being utilized by hackers. It is the Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric approach to threat modeling that offers a step-by-step method to integrate the analysis of risk and its context into the overall security strategy right from the very beginning. PASTA promotes collaboration among all stakeholder groups to create an environment that is that is focused on security.

What is PASTA threat Modeling?

It is the Process of Attack Simulation and Threat Analysis (PASTA) is an approach to threat modeling that is risk-centric that was co-founded in the year the year 2015 by VerSprite Chief Executive Officer Tony UcedaVelez and security leader Marco M. Morana. Companies all over the globe such as GitLab are adopting PASTA as their internal threat modeling standards due to its risk-centric approach, collaborative tendency and evidence-based threat intelligence and a focus on the likelihood of every attack.

PASTA lets collaboration between business and developer stakeholders to fully know the application’s risk as well as its vulnerability to attack, and its business consequences if there were the possibility of a breach. Other threat modeling frameworks are often focused on a single element, for example, code as well as the attack itself. For example STRIP (Spoofing Tampering, Repudiation and Information Disclosure and Denial of Service (DoS) and Elevation Privilege) is a mnemonic which has been utilized and recommended by numerous. It’s easy to implement since it’s an unchanging framework. With ever-changing threat landscapes, it does not seem sensible to create static threats that span a range of sectors. PASTA offers a variety of advantages over other threat modeling techniques.

The benefits from PASTA threat modeling:

Contextualized approach that is always tied back to the business context
Tests the viability of threats based on facts
Considers the viewpoint of an attacker
Utilizes existing processes within the company
Collaboration process that can easily increase or decrease the size of the group.

The 7 Steps of PASTA

PASTA comprises seven stages each one acting as a foundation for each other. This lets your threat model be a sequential process and make use of existing security testing processes in your company including code review, third-party analyzers of static libraries and threat monitoring of application infrastructure.

First Step: Define the Goals

The first step in the PASTA procedure is to determine the goals. These could be internal driven or externally driven. They could also be controlled by your user base. It is important to understand what the intention behind the application. What is it that will make your business money? Maybe it’s some back-end process. What regulations have to be included? In contrast to static threat modeling techniques in stage one, PASTA offers the possibility to include governance into the discussions and incorporate it into the discussion from the very beginning.
Governance and Compliance in your Threat Model:

External Framework External Framework CoBit, ISO, NIST, SANS, CAG, CIS
Internal Standards for Crypto authentication, .NET security, JAVA security
External Regulations – PCIDSS, NERC CIP, FIPS 140-2, FedRAMP
Internal Process/Artifacts : risk assessments, vulnerability assessment SAST/DAST reports

Your business does not want to be penalized. It’s not interested in an application that’s not resistant, or an application that can leak personal or credentials for reputational and liability reasons. Be sure to understand the goals of your business first, and then align the goals with your security needs.

Stage Two 2. Determine the technical scope

Stage 2 in PASTA threat modeling is to comprehend the attack surface of your organization by setting your technical scope: understand what you’re protecting. The most frequent theme among experts in the field of application security as well as product security, is the lack of scope since we’re focused solely on the application realm.

When you’re defining an attack area it is important to know what you’re dealing with and what kind of dependencies could be in place with third-party service. These could include services developed by a developer and maintained systems as engineers, or parts that are monitored by the infrastructure.

Attack Surface Component Examples:

API endpoints
Web-based application
Network infrastructure
OS Settings
DNS server
Certificate server
Mobile client
3rd party library and SW
Data storage device
Application Framework
Kubernetes configuration
Docker configuration
Configuration of services

PASTA is intended to be a collaboration initiative and encourages collaboration with engineers and cloud team developers, architects, and developers to ask “What do you work with? What are you doing to support this situation?” And then “What could be the best way to bring them together? What is the current technology environment?” This conversation will help you proceed to the third stage, which is application decomposition.

Step Three: Disassemble the Application

The third stage of PASTA is the decomposition of applications. In the second stage we created context around the application we’re doing. The third stage is about making sense of the way everything is communicating, and how everything is connected. The most important outcome in this process is determine the degree of trust you have in models and what they represent. It could include an IoT device that is communicating with the cloud and an embedded system communicating to an auto component. There could be unintentional trust models that can be a suitable channel for exploiting.

In this phase you must create diagrams of data flow. It is recommended that you use your architectural framework to comprehend the calls and integrations that you have discovered in stage two. Data flow diagrams do not represent threat modeling. Data flow diagrams show the flow of information between users across trust boundaries however it does not provide any representation of threats. It does not show the developer or engineer what to be concerned about, however, it only provides a diagram for analysis.

Fourth Stage: Evaluate the threats

Stage four involves analyzing the threats. The most important output from step four will be to comprehend what the application is doing and how threats are impacting your attack surface.

The scope of your project is determined by the technology you choose to use, as defined in the stage two. Also, you must consider the type of data you’re using as well as your data model and the model you use to consume data. What kinds of threats are more prevalent based on the way you’re using data? As an expert in threat modeling and security advocate it is essential to understand the threat landscape that is relevant to you . This is done by studying the threat intelligence to gain an understanding of the behavior of attackers against your business and technological footprint. Once you have that, you are able to begin building an individual threat database.

Traditional methods for modeling threats don’t have the context of a threat. When we provide information about threats, we do not want to scare our audience. No matter if they’re developers or owners, we need to have reliable, scientifically-backed threats to develop upon. Imagine cooking a real dinner of spaghetti. If you’re a real pasta lover, then you should not make pasta using a thin bland sauce. You need good evidence-based sauce. PASTA lets you create relevant threat analysis that is useful to your customers.

What to do and what not to do of Threat Information Consumption & Analysis


Make your own threats using intelligence using external or internal researchers, or internal logs
Find out the origins of your threat sources from, they’re relevant, and cross-validated


Make use of one source for threat intelligence data
Utilize your threat intelligence of competitors to provide a foundation for industry-related threats
Make sure the analysis of threats uncover items you didn’t take into consideration in the stages 2 , 3 (this signifies that you performed these steps incorrectly)”

Stage Five: Analysis of Vulnerability

Stage five links the vulnerability of the application to the application’s strengths. How do you combine methods and best practices for example, volume management and dynamic analysis, volume assessments dynamic analysis and more.? In all the chaos you’re seeing during the vulnerability analysis, which are the risks that are relevant to the threats that are within the threat database? The main difference between PASTA and PASTA is that it focuses on the those risks that are likely to have the greatest impact on the company dependent on stage one.

In the next stage You identify what’s wrong. What’s wrong with your application? It’s not only vulnerabilities that could be present in my code base using static analysis however, what’s wrong in my design? What is wrong in my trust model that I could have discovered during stage three? There are a variety of reasons to put your trust model in the vulnerability bucket. These include weaknesses or flaws discovered through manual security tests and weaknesses or vulnerabilities in your architecture that result from the diagram of your data flow, or other types of vulnerability scanners to mention some.

Stage Six: Analysis of Attack

The primary goal of the sixth stage of PASTA is to show that the methods we discovered to be to be vulnerable in stage 5 can be used in stage six. To create a solid attack model you must use attack trees. The use of attack trees allows you to connect vulnerabilities that are known to a particular node on the attack tree in order to determine its probability.

How to create an Attack Tree

The root node of your attack tree will typically be the goal of your threat. For instance, if you’re a criminal, you’ll want to hack into credit card details. The primary nodes must be the component of the application that is affected, AKA the target – which will be the one that has access to this data. There are additional nodes taken from the attack library that you built earlier. The ultimate purpose is to develop the blueprint for exploiting. The best thing about attack trees is that they can be massive small, medium, or large and focus on either the entire application or a single asset within the Software Development Life Cycle.

Stage Seven Stage Seven: Risk and Impact Analysis

In the final analysis, PASTA threat analysis is focused on reducing risks. The ultimate goal for stage seven is to create countermeasures that reduce the risks which are crucial. In order to conclude our threat model exercise we’ll need to use and integrate the data we gathered during the first six stages.

In incorporating all of the information you have this way, you’ll be able to gain access to the impact of attacks through simulations. In addition, by increasing your awareness of the effects of exploits and weaknesses in countermeasures, it is possible to make more informed decision-making about risk management that can reduce time and money.