Threat Modeling with PASTA – My Work

Overview

I applied the PASTA threat-modeling framework to a new sneaker-marketplace app. Over seven stages, I captured business goals, mapped technical components, identified threats and vulnerabilities, and proposed controls that satisfy the security requirements.

Scenario

I’m on the security team for a mobile app that lets sneaker enthusiasts buy, sell, and rate shoes. The app supports account creation, messaging, and payment processing. My task was to work through all PASTA stages to deliver a clear set of security recommendations before launch.

Work Done

PASTA Stage My Notes
I. Business Objectives
  • Users must securely register and log in via internal or external identity providers.
  • The app must process financial transactions in compliance with PCI-DSS.
  • High availability and data privacy are required to maintain user trust.
II. Technical Scope
  • RESTful API for client-server communication
  • PKI/TLS for encryption of data in transit
  • SHA-256 for hashing sensitive data
  • SQL database for storing user and transaction records

I prioritized securing the API endpoint first—since it handles all user input—and enforcing TLS to protect every network request.
III. Decompose App

I reviewed the PASTA data flow diagram to map how “Search → Query DB → Return Listings” operates. This helped me pinpoint where user input enters the system and where transaction data is stored.
IV. Threat Analysis
  • Injection attacks against unsanitized parameters
  • Session hijacking via stolen authentication tokens
V. Vulnerability Analysis
  • Use of dynamic SQL without prepared statements
  • Weak or expired API tokens allowing unauthorized access
VI. Attack Modeling

I built an attack tree with root “Compromise App,” branches for “SQL Injection” and “Token Theft,” and leaf nodes detailing input vectors and session cookie capture.
VII. Controls & Mitigations
  • Enforce prepared statements/ORM to eliminate injection paths
  • Require multi-factor authentication for all privileged actions
  • Rotate and validate API tokens with strict expiration policies
  • Maintain incident response procedures and regular security audits

Conclusion

Completing PASTA end-to-end gave me a structured view of the app’s risks and a clear set of security requirements. The recommended controls—layered across technical, operational, and managerial domains—will guide the development team toward a more secure deployment.

← Back to Portfolio