PASTA Threat Modeling vs STRIDE: How Are They Different?

แชร์
ฝัง
  • เผยแพร่เมื่อ 25 ธ.ค. 2024

ความคิดเห็น • 5

  • @juergenm6107
    @juergenm6107 10 หลายเดือนก่อน

    Hi Tony,
    in your video description you wrote "STRIDE is a threat-centric framework ". Sorry but in IMHO it is neither threat-centric nor a framework.
    It is system or software centric process for treat modeling.
    You mentioned in other videos that it is useless because of the "static" six threats categories.
    I highly disagree that STRIDE with any Risk Assessment is useless. Maybe you will not find all threats but you can always extend STRIDE with Attack Tree as well, like proposed in the ISO 21434
    As a consultant and as an embedded software architect I would be very happen when my customers are doing threat modeling and risk assessement regardless of the chosen method/process.
    It really doesn't matter which method/process they choose for threat modeling. When the majority of the companies are doing threat modeling then we can talk again if for example PASTA is more efficient and effectiv comparing to STRIDE or another methode like TRIKE or OCTAVE. Threat modeling und risk assessment are only a small but important part in a secure development life cycle.
    It would be even better when development companies would practice a secure development life cycle like the one proposed in the IEC 62443
    So the argument that when something is old and static, it is useless, is in my opinion not correct.
    Take for example the Security Design Principle from Saltzer and Schroeder.
    Those were published in 1975 and they are old and still valid.
    Instead on bashing STRIDE is useless, it would be more credible when you as a professional are focusing more on the real advantages of PASTA.
    E.g is PASTA more efficient and effective comparing to other threat modeling and risk assessment methods/processes

    • @TTT-jt9zw
      @TTT-jt9zw 10 หลายเดือนก่อน +3

      Yep, well everywhere I went, people literally always asked me to present the differences, so this video was a manifestation of that. STRIDE is not a true methodology. It's simply a threat categorization. This has been its self-provided description since inception. You can always make anything extensible to any other frameworks. This is inherent. That doesn't the extended capability elevates the innate qualities of the mnemonic. It's USED for software centric processes, but it IS a threat categorization. All threats fall into one of six immutable buckets. Those letters relate to "threats" (in their opinion, not mine btw, as Spoofing is not a threat but an attack. The end goal is not spoofing, and no real cybercriminal will concur the end goal is "spoofing" - first letter of STRIDE). Threats have objectives in the real cybercriminal world and those objectives leverage attack patterns of which "Spoofing" is one of them but it's not in itself the objective. Yes, STRIDE is used to simplify software and architecture analysis to ask, "where can these threats take place in my software/ app model". It's not a methodology and again the extensibility of anything doesn't then make it innately adopt those attributes of that extensible ISO or NIST framework.

    • @juergenm6107
      @juergenm6107 10 หลายเดือนก่อน

      @@TTT-jt9zw IMHO Spoofing can be both a threat and an attack. It depends on the point of view.
      But still STRIDE is per se is not useless. Those 6 catagories are still valid.
      I would agree that STRIDE is not as extendible as PASTA but in combination with Attack Tree and a proper risk assessment you will find and assess enough threats and risks that you can say, my system is now more secure then before.
      The comparison betwenn PASTA and STRIDE is for me like comapring apples with pears because PASTA is much more then threat modeling alone.
      Comparing the TARA from ISO 21434 (HEAVENS 2.0) with PASTA would be more accurate.

    • @TTT-jt9zw
      @TTT-jt9zw 10 หลายเดือนก่อน

      @@juergenm6107 STRIDE may be a good start for students or SMBs but orgs facing serious threats and those threats are changing, I would not admit to doing threat modeling with static, immutable threat categories in today's threat landscape. Again, personal opinion, but logically with all the dynamic threats that map to a multitude of attacks, it would be remiss for product owners to not have threat intel inspired threat models. PASTA was invented by Marco and I after having used STRIDE and TRIKE for years so it is the risk centric threat modeling methodology. Anytime sites mention "methodology" STRIDE is not. I think the term methodology should be looked up b/c it's not a process for doing but simply an aid. PASTA was invented as 7 step methodology that aligns to maturity models and allows companies to build their own PASTA. GitLab is just one of many orgs that take PASTA and make their own. Their are 7 stages and 34 activities. You can make it what you want. If one is having to take STRIDE, add a framework, rope in a risk assessment, the big question is, why not just do PASTA? GitLab made a post btw on their PASTA adoption journey. about.gitlab.com/blog/2021/07/09/creating-a-threat-model-that-works-for-gitlab/