Architecture (A2): SDL Activities and Best Practices 111
methodology.
16
The latest version of the Trike tool can be downloaded at
the Source Forge website at http://sourceforge.net/projects/trike/files/trike.
A security auditing team can use it to describe the security characteris-
tics of a system from its high-level architecture to its low-level implemen-
tation details. The goal of Trike is to automate the repetitive parts of threat
modeling. Trike automatically generates threats (and some attacks) based
on a description of the system, but this requires that the user describe the
system to Trike and check whether these threats and attacks apply.
17
A key
element of Trike is the empowerment, involvement, and communications
with the key stakeholders with complete progress and task status transpar-
ency so that they know the level of risk and can evaluate acceptance of the
risk throughout the software development process.
4.3.3.8 PASTA (Process for Attack Simulation and
Threat Analysis)
In 2011, a new application threat modeling methodology developed
by Marco Morana and Tony Uceda Velez was presented. PASTA is a
seven-step process that is applicable to most application development
methodologies and is platform-agnostic. It not only aligns business
objectives with technical requirements it also takes into account compli-
ance requirements, business impact analysis, and a dynamic approach
to threat management, enumeration, and scoring. The process begins
with a clear definition of business objectives, security and compliance
requirements, and business impact analysis. Similar to the Microsoft
process, the application is decomposed into components, with use case
diagrams and DFDs to illustrate the threat model with which threat and
vulnerability analysis can be performed. The next step involves use of
threat trees, abuse cases, scoring systems, and enumerations for further
reference in analysis. Following this, the threat model is viewed from an
attacker perspective by attack modeling in attack trees and attack sur-
face analysis. In the final step, risk and business impact can be qualified
and quantified, and necessary countermeasures identified. This process
combines the best of various threat modeling approaches, with the attack
trees serving as an attacker-centric means of viewing a threat, as well
as, in combination with risk and impact analysis, helping to create an
asset-centric means of planning a mitigation strategy. The threat trees,