1. PTA Documentation
1.1 Risk Assessment and Threat
Analysis Methodology
1.2 Case Studies: Threat Modeling and
Calculative Risk Assessment
1.3 PTA Risk Assessment Tools
1.4 PTA Risk Analysis Sample Reports
2. PTA Sample Threat Models and Freeware Libraries
2.1 Sample Threat Risk Assessment Projects
2.2 Freeware PTA Security Libraries
2.3 PTA Professional Forum
2.4 Useful Security Risk Assessment Resources
* PTA Methodology in a Nutshell gives a short description of the Practical Threat Analysis scope within the Threat Risk Assessment process.
* Practical Threat Analysis for Securing Systems is an in-depth description of the PTA methodology and risk assessment steps. It includes theory definitions and analysis guidelines (also available in DOC).
* Risk Reduction Methodology for Legacy Software presents practical ideas on using PTA in threat risk assessment of enterprise legacy software systems (with the courtesy of Software Associates).
* Risk Assessment of a Call Accounting Enterprise System describes the threat modeling and calculative risk assessment process of real-life enterprise call accounting solution.
* Microsoft Passport Case Study gives the threat model of Microsoft Passport single sign-on protocol based on the excellent paper "Risks of the Passport Single Signon Protocol" by David P. Kormann and Aviel D. Rubin.
* PTA Risk Assessment Tool is a short leaflet of the PTA Professional Edition software tool.
* PTA Professional Edition Presentation presents the main practical threat analysis steps combined with screenshots of the PTA risk assessment tool.
* PTA Professional Edition is a detailed list of the PTA risk assessment tool features.
* Threat Modeling with PTA explains how PTA supports the threat risk assessment and threat modeling processes.
* PTA Reports describes some of PTA outcomes and reports.
* PTA for the Enterprise is a detailed list of the server-based risk management enterprise solution features.
* PTA Libraries a list of security checklists available as part of PTA for the Enterprise offering.
* PTA Technology for Consultants, Manufacturers and Security Solutions Providers gives a short description of the technology building blocks available for integration with security products and services.
* PTA Reports Samples gives the outcomes of a threat analysis process of a sample computerized system for publishing the daily currency exchange rates.
* PTA System Monitor is a screen shot of the main system security monitor of the currency exchange sample.
The sample risk assessment projects and
freeware
libraries are packed in WinZip archives which contain the relevant threat models
and additional documents. After downloading an archive, please extract
the files to a dedicated folder according to your convenience and than invoke
PTA and open the relevant thm or thl file using the File / Open PTA Project dialog.
Note: to view the threat model or library you should have
the
PTA
Risk Assessment
Tool Installed on your computer.
* Call Accounting Case Study is a real life practical threat analysis and risk assessment project (thm file) of a Web based call accounting solution.
* Passport Case Study is the threat model project (thm file) of MS Passport security protocol.
* Currency Rates is a threat analysis project (thm file) of a small fictive sample system.
* Import Text are sample text files for demonstrating the import of threat model entities from comma delimited text files by using the Import Entities from Text to Library tool. Use the Import Templates as blank text files for creating your own import data files.
* Currency Rates with TMSes is a threat analysis project (thm file) which demonstrates how to define several sub mitigation plans for a given threat where each sub mitigation plan has its own set of countermeasures and its own mitigation level.
* MS Telecom Entity Library is a sample PTA library (thl file) that contains basic assets, vulnerabilities, threats and countermeasures relevant to telecom/billing/call accounting Web based solutions in Microsoft platform.
* ISO 27001 Library (last revision: September 2007) provides an efficient security checklist for performing ISO 27001 2005 risk assessment audits. The zipped package contains the ISO27001.3_Library (thl file) - a PTA library that can be used as a source of entities to build a threat model from scratch and the ISO27001.3_Base_Model (thm file) sample threat model which demonstrates the use of the PTA ISO27001 library. Also included an Excel version of the ISO27001 standard's original checklist.
* PCI DSS 1.1_Library (last revision: December 2007) is not just another compliance checklist - it is a great way for any merchant to perform a self risk-assessment procedure, protect customer payment card data and improve his business availability. The zip contains a baseline threat model, a PTA library and all the relevant PCI standard documentation organized as PTA attached documents. The PCI_DSS_1.1_Base_Model (thm file) is intended for use in self-assessments by PCI risk assessors. The PCI_DSS_1.1_Library (thl file) can be used by PTA professionals in order to integrate PCI DSS entities into their existing threat models and create an integrated risk model risk assessment of the entire enterprise.
* toolsmith Web_App_Library (last revision: November 2008 with the courtesy of Russ McRee - HolisticInfoSec) is a full fledge security check list for performing risk assessment and creating threat models for Web applications. The library is based on the MSDN Security Development Center: Threat Modeling of Web Applications patterns & practices and includes common security vulnerabilities, entry points and attacker types. Use this library to review your application design and systematically reveal the threats and vulnerabilities specific to your application architecture. The zip contains the following: the Web_App_Threat_Model_Library_1.0 (thl file) which serves as baseline PTA library for Web applications risk assessment, the Web_App_Threat_Model_sample (thm file) which demonstrates the use of the library when building a threat model of a simple Web application and the toolsmith_ISSA_Journal_September2008 (pdf file) with Russ McRee review of the PTA methodology and Risk Assessment tool as published in the toolsmith monthly column of the ISSA Journal. The article presents Russ considerations for mapping the MSDN Cheat Sheet:Web Application Security Frame items into a comprehensive and useful PTA security library which is then used for conducting a PTA threat analysis of a simple Web application. Thanks Russ.
* IP_Protection
(last revision: March 2009 - with the courtesy of Danny Lieberman -
Software Associates)
deals with the abuse of a company's intellectual property and statutory
information involves theft and/or unauthorized disclosure. Like any other crime,
in order to steal or disclose assets, a person needs a combination of means,
opportunity, and intent. The IP_Protection (thm file) practical threat
model analyzes the various aspects of the crime and finds the best mitigation
plan to the threatened system. The packed zip also contains the
preventing-intellectual-property-abuse article (pdf file) which elaborates
on the appropriate countermeasures and mitigation considerations. Thanks
Danny for your great contribution.
* The PTA Professional Forum contains several articles which demonstrate how Information Security professionals use the PTA methodology, libraries and threat models in real life risk assessment missions. Read More > on how to:
* You are invited to visit the PTA Risk Assessment and Information Security Resources page which contains links to interesting blogs and lists on Information Security as well as additional software security documents.
***
Threat Analysis Methodology in-depth
- Risk
Assessment with the
PTA Forum
Home Page