#### **Introduction**

You’re part of the growing security team at a company for sneaker enthusiasts and collectors. The business is preparing to launch a mobile app that makes it easy for their customers to buy and sell shoes. 

You are performing a threat model of the application using the PASTA framework. You will go through each of the seven stages of the framework to identify security requirements for the new sneaker company app.

The application should seamlessly connect sellers and shoppers. It should be easy for users to sign-up, log in, and manage their accounts. Data privacy is a big concern for us. We want users to feel confident that we’re being responsible with their information.

Buyers should be able to directly message sellers with questions. They should also have the ability to rate sellers to encourage good service. Sales should be clear and quick to process. Users should have several payment options for a smooth checkout process. Proper payment handling is really important because we want to avoid legal issues.







**Stages of the PASTA Framework**

**I. Define Business and Security Objectives**

(The main goal of Stage I of the PASTA framework is to understand why the application was developed and what it is expected to do. Stage I typically requires gathering input from many individuals at a business).

1.Seamless user experience for signing up, logging in, and managing accounts.
2.Secure and quick transaction processing with multiple payment options.
3.Protect user data to ensure privacy and compliance with legal requirements.


**II. Define the Technical Scope**

1. API (Application Programming Interface):
APIs facilitate communication between the app's different components and third-party services. 
For example:
APIs enable buyers to search for sneakers by interacting with the app's database.
APIs allow sellers to upload information about sneakers, which is processed and stored in the backend.
APIs also manage payment processing by connecting the app to external payment gateways.
Without proper security measures, APIs can become vulnerable to attacks like unauthorized access, data interception, or injection.


2. PKI (Public Key Infrastructure - AES and RSA):
PKI provides a framework for encrypting data during transmission. The sneaker app uses:

1.AES (Advanced Encryption Standard): A symmetric encryption algorithm to protect sensitive data at rest, such as stored payment details.
2.RSA (Rivest-Shamir-Adleman): An asymmetric encryption algorithm for secure key exchange between the user's device and the app's servers.
This ensures that even if data is intercepted during transmission, it remains unreadable without the decryption key.

3.SHA-256 (Secure Hash Algorithm 256-bit):
SHA-256 is used to create a fixed-length hash of sensitive information, such as passwords and payment details.
Hashing ensures that sensitive data is not stored in plain text. Even if the database is compromised, the original information cannot be easily reconstructed.
SHA-256 is particularly secure due to its resistance to collision attacks (two different inputs producing the same hash).

4.SQL (Structured Query Language):
SQL is used for storing and managing data in the sneaker app. Examples include:
Storing user account information, sneaker listings, and transaction histories.
Retrieving data, such as showing search results for a buyer looking for sneakers.
Handling updates, like modifying a seller's product description or buyer's review.
Improper SQL handling can lead to vulnerabilities such as SQL injection, which allows attackers to execute arbitrary database queries.

Prioritized Technology:
APIs should be evaluated first because they are the primary interface between users, services, and the app. APIs are often targeted for 
A. Injection attacks.
B. Exposure of sensitive data through improperly secured endpoints.
C. Misconfigurations leading to unauthorized access.

Securing APIs with input validation, authentication mechanisms (e.g., OAuth 2.0), and rate limiting mitigates these risks effectively.


**III. Decompose Application**
Data Flow Analysis:
1. User logs into the app (input credentials -> API call -> database query).
2. Buyer searches for sneakers (API query -> SQL database -> display results).
3. Transactions (API handles payment details -> PKI encrypts sensitive data -> SQL stores the record).


**IV. Threat Analysis**
Potential Threats:
1. External Threat: SQL injection targeting the database to manipulate or steal data.
2. Internal Threat: Improperly configured APIs exposing sensitive endpoints.

**V. Vulnerability Analysis**
Potential Vulnerabilities:
1. Codebase Issues: API endpoints lacking proper authentication and input validation.
2. Database Weakness: Lack of encryption for sensitive data stored in the SQL database.


**VI. Attack Modeling**
Attack Tree Considerations:
1. Entry point: Unsecured API endpoint -> payload injection -> unauthorized data retrieval.
2. Process: Intercepted communication -> exploit weak encryption in PKI -> steal sensitive user data.


**VII. Risk Analysis and Impact**
Security Controls:
1. API Security: Implement OAuth 2.0 and enforce input validation for all endpoints.
2. Encryption Standards: Ensure AES encryption for data at rest and RSA for secure key exchange.
3. Database Security: Apply prepared statements and parameterized queries to prevent SQL injection.
4. Access Control: Use role-based access control (RBAC) and regular audits of permissions.
