"PASTA for PMs – Risk Centric Threat Modeling for Project Management Professionals" presented by Tony UcedaVélez, CEO of VerSprite
The Governance Forum provides value to the PMI Atlanta community by offering participants:
Discussion of field-tested best practices, Decisions frameworks to assess culture and apply optimal strategy, Key takeaways to “take to work tomorrow” to maximize realization of value through introduction and standardization of best practices in the oversight and execution of projects, programs, and portfolios.
This talk will cover the Process for Attack Simulation and Threat Analysis (PASTA), the only risk centric threat modeling methodology and walk through each of the 7 stages of the methodology. This risk centric threat modeling methodology is a great compliment to the new ideology of “shifting left” with security and having it to be included earlier in the SDLC process. Threat modeling and specifically PASTA can become a key ally to PMs worldwide as many are striving to factor in security, compliance, and privacy requirements within their various projects. During this talk, we’ll explore key goals within each stage of the methodology. Some of these are highlighted below:
- (Stage 1) Define Business Objectives: A risk centric approach needs to build upon the context of what is important or impactful to a business. Understanding how to define business objectives that can determine the priority of security flaws, gaps or weaknesses that need to be fixed will be covered. We’ll also explore the idea of inherent risk and visit standards that could be made a part of governance requirements (both IT and security) that could be factored into this phase of a threat model.
- (Stage 2) Define Technology Scope: You can defend what you don’t know. As part of any projects, there are moving parts. Those moving parts could represent the attack surface of a given product or service. We will learn to define these parts and see how an attack surface for our given project gets itemized for defense before it gets discovered and attack by threat actors.
- (Stage 3): Application Decomposition: Use cases, product features and functions, application roles and privileges are all important functional aspects to any project that need to be taken into consideration within a threat model. In this phase we’ll introduce some activities that take place to help PMs understand the consequence if security requirements are left out.
- (Stage 4): Threat Analysis: The heart of threat modeling is understand threats. As a PM, you’ll want to know what are the common and most likely types of threats that are applicable to the product or service that is being developed or maintained as part of a project. Learn about what things to ask for and incorporate as a PM and your role withing a threat modeling process.
- (Stage 5): Vulnerability Analysis: Before we launch a given product or service we must ensure that no security debt will be accompanying the release of the product, thereby introducing some level of security debt for the organization. We’ll explore how to incorporate vulnerability details into the threat modeling process and into your PM initiatives so that flaws are addressed prior to launch, particularly those that relevant the risk levels for a given application or product.
- (Stage 6): Attack Modeling: Probability for threat occurrence can be easily depicted on the success of various adversarial security tests. We look at attack trees and understand what are some inputs / outputs of this phase that will be helpful for PMs to understand and capture so that they are able to address likely threat patterns for remediation earlier in the SDLC process.
- (Stage 7): Residual Risk Analysis: In the end, its all about residual risk reduction. Similar to mitigating project risks, there may be security, privacy, and compliance risk issues that undermine the project that is being managed. Understand what are the key requirements that help to reduce the residual risk and what countermeasure to prioritize for you and your team prior to implementation and maintenance phase of your project.
Tony UcedaVélez is the CEO of VerSprite, and co-author of Process for Attack Simulation Threat Analysis. VerSprite is an Atlanta based security services firm assisting global multi-national corporations on various areas of cybersecurity, secure software development, threat modeling, application security, security governance, and security risk management. Tony has worked and led teams in the areas of application security, penetration testing, security architecture, and technical risk management for various organizations in Utility, Banking, Government, Retail, Healthcare, and Information Services. He has spoken at conferences across 13 countries and 4 continents on the subject matter.
Wednesday, May 26, 2021, 6:00 PM - 7:15 PM
You will receive an email from the PMI Atlanta Chapter with the webinar link 24 hours before the event start time.
Due to coronavirus concerns, we will be hosting this event through webinar. Because of this change, member rate is now $8 and non-member rate is $10.
PMI Atlanta Member: $8.00.
Meeting content, presenter, and location are subject to change. Refunds will not be made for changes in meeting content, presenters, or locations.
Earn 1 PDU
Talent Triangle Category: Technical Management
PDUs can be claimed here.
For detailed instructions, please visit the CCRS User Guide.