pasta-risk
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePASTA Stage 7: Risk & Impact Analysis
PASTA第7阶段:风险与影响分析
Produce business-weighted risk scores by combining Stage 6 exploitability with
Stage 1 business impact. Deliver a prioritized remediation roadmap balancing risk
reduction against effort. This is the final PASTA stage.
通过结合第6阶段的可利用性与第1阶段的业务影响,生成业务加权风险评分。交付一份平衡风险降低与实施成本的优先级修复路线图。这是PASTA的最终阶段。
Supported Flags
支持的参数
Read for the full flag specification. Key behaviors:
../../shared/schemas/flags.md| Flag | Stage 7 Behavior |
|---|---|
| Inherits from prior stages. Synthesizes all prior outputs. |
| Top 5 risk-ranked findings with one-line mitigations only. |
| Full risk scoring, mitigation roadmap, and compliance mapping. |
| Standard + residual risk assessment, systemic issues, cost-benefit per mitigation. |
| Deep + executive summary, quantified risk, formal compliance gap report. |
| Filter final output to findings at or above the threshold. |
| Standalone markdown report for stakeholder distribution. |
| Chain into fix mode for highest-priority findings. |
阅读获取完整参数规范。核心行为:
../../shared/schemas/flags.md| 参数 | 第7阶段行为 |
|---|---|
| 继承自之前的阶段。综合所有前期输出内容。 |
| 仅显示风险排名前5的结果及一行简要缓解措施。 |
| 完整风险评分、修复路线图及合规映射。 |
| 标准内容 + 残余风险评估、系统性问题分析、各缓解措施的成本效益分析。 |
| 深度内容 + 高管摘要、量化风险、正式合规差距报告。 |
| 过滤输出,仅保留达到或超过阈值的结果。 |
| 生成独立Markdown报告,用于向利益相关者分发。 |
| 触发修复模式,针对最高优先级结果进行处理。 |
Framework Context
框架背景
Read , Stage 7 section. PASTA is SEQUENTIAL.
Stage 7 consumes all prior stage outputs to produce the final deliverable.
../../shared/frameworks/pasta.md阅读的第7阶段章节。PASTA是顺序执行的。第7阶段会使用所有前期阶段的输出来生成最终交付物。
../../shared/frameworks/pasta.mdPrerequisites
前置条件
Required: Stage 6 output -- attack scenarios, DREAD scores, detection gaps.
Also needs: business assets and compliance (Stage 1), entry points (Stage 2),
components (Stage 3), threats (Stage 4), vulnerabilities (Stage 5). If
unavailable, warn and assume.
必需项:第6阶段的输出——攻击场景、DREAD评分、检测差距。还需要:业务资产与合规要求(第1阶段)、入口点(第2阶段)、组件(第3阶段)、威胁(第4阶段)、漏洞(第5阶段)。如果这些内容不可用,将发出警告并进行假设。
Workflow
工作流程
Step 1: Calculate Business-Weighted Risk
步骤1:计算业务加权风险
Risk Score = Exploitability (DREAD, 1-10) x Business Impact (1-10).
| Impact Level | Score | Criteria |
|---|---|---|
| Critical | 9-10 | Regulatory breach, massive financial loss, existential threat |
| High | 7-8 | Significant data breach, major outage, legal liability |
| Medium | 4-6 | Limited exposure, partial degradation, reputational harm |
| Low | 1-3 | Minor disclosure, negligible business effect |
风险评分 = 可利用性(DREAD,1-10)× 业务影响(1-10)。
| 影响级别 | 评分 | 判定标准 |
|---|---|---|
| 危急 | 9-10 | 监管违规、重大财务损失、生存威胁 |
| 高 | 7-8 | 重大数据泄露、严重停机、法律责任 |
| 中 | 4-6 | 有限暴露、部分性能下降、声誉损害 |
| 低 | 1-3 | 轻微信息泄露、可忽略的业务影响 |
Step 2: Rank Findings
步骤2:对结果排序
Order by composite risk score (descending). Break ties by: compliance implications,
attack complexity (simpler ranks higher), detection coverage (undetectable ranks higher).
按综合风险评分降序排列。若评分相同,按以下优先级排序:合规影响、攻击复杂度(越简单排名越高)、检测覆盖范围(无法检测的排名越高)。
Step 3: Propose Mitigations
步骤3:提出缓解措施
| Effort | Definition | Timeline |
|---|---|---|
| Quick win | Single file change, config update, dependency bump | Same day |
| Short-term | Targeted code changes, new middleware or control | 1-2 sprints |
| Long-term | Architectural change, new service, framework migration | Quarterly |
Prioritize by risk-reduction-per-effort. Identify mitigations resolving multiple findings.
| 实施成本 | 定义 | 时间线 |
|---|---|---|
| 速赢项 | 单个文件修改、配置更新、依赖版本升级 | 当日完成 |
| 短期 | 针对性代码修改、新增中间件或控制措施 | 1-2个迭代周期 |
| 长期 | 架构变更、新增服务、框架迁移 | 按季度推进 |
按“风险降低幅度/实施成本”的比值优先排序。找出可解决多个问题的缓解措施。
Step 4: Map to Compliance
步骤4:合规映射
Cross-reference with Stage 1 compliance requirements: which findings violate
regulatory controls, which would be flagged in audit, mandated timelines,
documentation needed.
与第1阶段的合规要求交叉比对:哪些结果违反了监管控制要求、哪些会在审计中被标记、强制截止日期、所需文档。
Step 5: Assess Residual Risk
步骤5:残余风险评估
After proposed mitigations: what risk remains, what needs formal acceptance,
what compensating controls exist, what monitoring is needed.
实施缓解措施后:剩余哪些风险、哪些需要正式接受、哪些有补偿控制措施、需要哪些监控手段。
Step 6: Executive Summary
步骤6:高管摘要
Non-technical summary: overall posture, top 3 immediate actions, phased effort
estimate, compliance status and regulatory exposure.
非技术摘要:整体风险态势、3项首要紧急行动、分阶段实施成本估算、合规状态与监管暴露情况。
Analysis Checklist
分析检查清单
- Which findings, if exploited, would cause the greatest business harm?
- Which mitigations give the highest risk reduction for lowest effort?
- Are there findings violating regulatory requirements needing immediate remediation?
- What residual risk remains after all proposed mitigations?
- Are there systemic issues that, if fixed, resolve multiple findings?
- What is the total estimated effort for all recommended mitigations?
- Should any findings be formally accepted rather than fixed?
- What ongoing monitoring is needed after remediation?
- 哪些结果被利用后会造成最严重的业务损害?
- 哪些缓解措施能以最低的实施成本获得最高的风险降低幅度?
- 是否存在违反监管要求、需要立即修复的结果?
- 实施所有建议的缓解措施后,仍存在哪些残余风险?
- 是否存在系统性问题,修复后可解决多个结果?
- 所有建议缓解措施的总预估实施成本是多少?
- 是否有任何结果应被正式接受而非修复?
- 修复完成后需要哪些持续监控措施?
Output Format
输出格式
Stage 7 produces the Final PASTA Report. ID prefix: PASTA (e.g., ).
PASTA-001undefined第7阶段会生成最终PASTA报告。ID前缀:PASTA(例如:)。
PASTA-001undefinedPASTA Stage 7: Risk & Impact Analysis
PASTA第7阶段:风险与影响分析
Executive Summary
高管摘要
Risk Posture: [Critical / High / Moderate / Low]
[2-3 sentence summary]
Immediate Actions: [N] | Total Findings: [N] (X critical, Y high, Z medium)
Effort: [quick wins: N, short-term: N, long-term: N]
风险态势: [危急 / 高 / 中等 / 低]
[2-3句摘要]
紧急行动: [N] | 总结果数: [N](X项危急,Y项高风险,Z项中等)
实施成本: [速赢项: N, 短期: N, 长期: N]
Risk-Ranked Findings
风险排名结果
| Rank | ID | Finding | Risk Score | Exploitability | Business Impact | Effort |
|---|---|---|---|---|---|---|
| 1 | PASTA-001 | SQL injection in search | 81 | 9.0 | 9 (breach) | Quick win |
| 排名 | 编号 | 结果描述 | 风险评分 | 可利用性 | 业务影响 | 实施成本 |
|---|---|---|---|---|---|---|
| 1 | PASTA-001 | 搜索功能中的SQL注入 | 81 | 9.0 | 9(数据泄露) | 速赢项 |
Remediation Roadmap
修复路线图
Quick Wins (Immediate)
速赢项(立即实施)
| Finding | Mitigation | Risk Reduction | Effort |
|---|
| 结果描述 | 缓解措施 | 风险降低幅度 | 实施成本 |
|---|
Short-Term (1-2 Sprints)
短期措施(1-2个迭代周期)
| Finding | Mitigation | Risk Reduction | Effort |
|---|
| 结果描述 | 缓解措施 | 风险降低幅度 | 实施成本 |
|---|
Long-Term (Quarterly)
长期措施(按季度)
| Finding | Mitigation | Risk Reduction | Effort |
|---|
| 结果描述 | 缓解措施 | 风险降低幅度 | 实施成本 |
|---|
Compliance Gaps
合规差距
| Regulation | Requirement | Finding | Status | Deadline |
|---|
| 法规 | 要求 | 结果描述 | 状态 | 截止日期 |
|---|
Residual Risk
残余风险
| Risk | After Mitigation | Compensating Controls | Accepted |
|---|
Findings follow `../../shared/schemas/findings.md` with:
- `dread`: DREAD scoring from Stage 6
- `references.cwe`: from Stage 5, `references.owasp`: OWASP mapping, `references.mitre_attck`: from Stage 4
- `metadata.tool`: `"pasta-risk"`, `metadata.framework`: `"pasta"`, `metadata.category`: `"Stage-7"`| 风险 | 实施缓解措施后 | 补偿控制措施 | 是否接受 |
|---|
结果需遵循`../../shared/schemas/findings.md`规范,包含:
- `dread`: 来自第6阶段的DREAD评分
- `references.cwe`: 来自第5阶段,`references.owasp`: OWASP映射,`references.mitre_attck`: 来自第4阶段
- `metadata.tool`: `"pasta-risk"`, `metadata.framework`: `"pasta"`, `metadata.category`: `"Stage-7"`Completion
完成
This is the final PASTA stage. The output is the complete threat model deliverable:
actionable, prioritized, and tied to business value. Track remediation progress
and schedule periodic reassessment as the application evolves.
这是PASTA的最终阶段。输出内容是完整的威胁建模交付物:可执行、已排序且与业务价值挂钩。跟踪修复进度,并随着应用的演进定期安排重新评估。