PASTA vs STRIDE - How Are They Different?
HTML-код
- Опубликовано: 7 дек 2023
- Download the PASTA ebook:
versprite.com/security-resour...
In this video, Tony UV answers the question he gets asked the most
"What is the difference between PASTA and STRIDE?".
watch the video to learn the true differences between PASTA & STRIDE.
PASTA (Process for Attack Simulation and Threat Analysis) and STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) are both frameworks used for threat modeling in the field of cybersecurity, but they have some differences in their approach and focus.
PASTA is a risk-centric threat modeling framework that focuses on identifying and prioritizing risks based on business impact. It emphasizes understanding the business context and aligning security efforts with business objectives.
STRIDE is a threat-centric framework developed by Microsoft in 1995. It provides a structured approach to identify and categorize different types of security threats that a system may face. The six categories in STRIDE represent common types of threats.
// FIND VERSPRITE’S CYBERSECURITY TEAM ONLINE //
✦ VerSprite: versprite.com/
✦ LinkedIn: / versprite-llc
✦ Twitter: / versprite
✦ RUclips: / versprite
// ABOUT VERSPRITE //
VerSprite is a leader in risk-based cybersecurity services and PASTA threat modeling, enabling businesses to improve the protection of critical assets, ensure compliance, and manage risk. Our mission is to help you understand and improve your organization’s cybersecurity posture. With cyberattacks increasing in number and sophistication daily, it is essential to protect your organization’s assets, protect your clients, and maintain the same, great reputation and trust you have worked hard to build. We believe that an integrated approach will result in better and more cost-effective security practices and business outcomes.
#threatmodeling #cybersecurity #VerSprite 
Наука
Hi Tony,
in your video description you wrote "STRIDE is a threat-centric framework ". Sorry but in IMHO it is neither threat-centric nor a framework.
It is system or software centric process for treat modeling.
You mentioned in other videos that it is useless because of the "static" six threats categories.
I highly disagree that STRIDE with any Risk Assessment is useless. Maybe you will not find all threats but you can always extend STRIDE with Attack Tree as well, like proposed in the ISO 21434
As a consultant and as an embedded software architect I would be very happen when my customers are doing threat modeling and risk assessement regardless of the chosen method/process.
It really doesn't matter which method/process they choose for threat modeling. When the majority of the companies are doing threat modeling then we can talk again if for example PASTA is more efficient and effectiv comparing to STRIDE or another methode like TRIKE or OCTAVE. Threat modeling und risk assessment are only a small but important part in a secure development life cycle.
It would be even better when development companies would practice a secure development life cycle like the one proposed in the IEC 62443
So the argument that when something is old and static, it is useless, is in my opinion not correct.
Take for example the Security Design Principle from Saltzer and Schroeder.
Those were published in 1975 and they are old and still valid.
Instead on bashing STRIDE is useless, it would be more credible when you as a professional are focusing more on the real advantages of PASTA.
E.g is PASTA more efficient and effective comparing to other threat modeling and risk assessment methods/processes
Yep, well everywhere I went, people literally always asked me to present the differences, so this video was a manifestation of that. STRIDE is not a true methodology. It's simply a threat categorization. This has been its self-provided description since inception. You can always make anything extensible to any other frameworks. This is inherent. That doesn't the extended capability elevates the innate qualities of the mnemonic. It's USED for software centric processes, but it IS a threat categorization. All threats fall into one of six immutable buckets. Those letters relate to "threats" (in their opinion, not mine btw, as Spoofing is not a threat but an attack. The end goal is not spoofing, and no real cybercriminal will concur the end goal is "spoofing" - first letter of STRIDE). Threats have objectives in the real cybercriminal world and those objectives leverage attack patterns of which "Spoofing" is one of them but it's not in itself the objective. Yes, STRIDE is used to simplify software and architecture analysis to ask, "where can these threats take place in my software/ app model". It's not a methodology and again the extensibility of anything doesn't then make it innately adopt those attributes of that extensible ISO or NIST framework.
@@TTT-jt9zw IMHO Spoofing can be both a threat and an attack. It depends on the point of view.
But still STRIDE is per se is not useless. Those 6 catagories are still valid.
I would agree that STRIDE is not as extendible as PASTA but in combination with Attack Tree and a proper risk assessment you will find and assess enough threats and risks that you can say, my system is now more secure then before.
The comparison betwenn PASTA and STRIDE is for me like comapring apples with pears because PASTA is much more then threat modeling alone.
Comparing the TARA from ISO 21434 (HEAVENS 2.0) with PASTA would be more accurate.
@@juergenm6107 STRIDE may be a good start for students or SMBs but orgs facing serious threats and those threats are changing, I would not admit to doing threat modeling with static, immutable threat categories in today's threat landscape. Again, personal opinion, but logically with all the dynamic threats that map to a multitude of attacks, it would be remiss for product owners to not have threat intel inspired threat models. PASTA was invented by Marco and I after having used STRIDE and TRIKE for years so it is the risk centric threat modeling methodology. Anytime sites mention "methodology" STRIDE is not. I think the term methodology should be looked up b/c it's not a process for doing but simply an aid. PASTA was invented as 7 step methodology that aligns to maturity models and allows companies to build their own PASTA. GitLab is just one of many orgs that take PASTA and make their own. Their are 7 stages and 34 activities. You can make it what you want. If one is having to take STRIDE, add a framework, rope in a risk assessment, the big question is, why not just do PASTA? GitLab made a post btw on their PASTA adoption journey. about.gitlab.com/blog/2021/07/09/creating-a-threat-model-that-works-for-gitlab/