Home Page

Practical Threat Analysis Documents & Samples

PTA Documentation

Methodology

PTA Methodology in a Nutshell gives a short description of the Practical Threat Analysis process.
Practical Threat Analysis for Securing Systems is an in-depth description of the PTA methodology, theory definitions and analysis steps (also available in DOC).
Risk Reduction Methodology for Legacy Software presents practical ideas on using PTA in mitigating defects in enterprise legacy software systems (with the courtesy of Software Associates). 

Case Studies: Threat Modeling and Calculative Risk Assessment

Risk Assessment of a Call Accounting Enterprise System describes the threat modeling and calculative risk assessment process of real-life case study of an enterprise call accounting solution.
Microsoft Passport Case Study gives the threat model of Microsoft Passport single sign-on protocol based on the excellent paper "Risks of the Passport Single Signon Protocol" by David P. Kormann and Aviel D. Rubin.

PTA Software Technology and Tools

PTA Technology for Consultants, Manufacturers and Security Solutions Providers gives a short description of the technology building blocks available for integration with security products and services.
PTA Software Tool is a short leaflet of the PTA Professional Edition tool.
PTA Professional Edition Presentation presents the main practical threat analysis steps combined with screenshots of the PTA desktop tool.
PTA Professional Edition is a detailed list of the PTA desktop tool features.
Threat Modeling with PTA explains how PTA supports the Practical Threat Analysis process.
PTA Reports describes some of PTA outcomes and reports.
PTA for the Enterprise is a detailed list of the server-based enterprise solution features.
PTA Libraries a list of security checklists available as part of PTA OEM private labeling offering.
 

PTA Reports

PTA Reports Samples gives a the outcomes of a threat analysis of a sample computerized system for publishing the daily currency exchange rates.
PTA System Monitor is a screen shot of the main system security monitor of the currency exchange sample.

PTA Sample Projects and Freeware Libraries

The sample projects and repository free libraries are packed in WinZip archives which contain the relevant threat models and additional documents. After downloading an archive, please extract the files to a dedicated folder according to your convenience and than invoke PTA* and open the relevant thm or thl file using the File / Open PTA Project dialog.

*Note: to view the threat model or library you should have PTA Software Tool Installed on your computer.

Sample Projects

Call Accounting Case Study is a threat analysis project (tml file) of a Web based call accounting solution.
Passport Case Study is the threat model project (tml file) of MS Passport security protocol.
Currency Rates is a the threat analysis project (tml file) of a small sample system.

Import Text are sample text files for demonstrating the import of threat model entities from comma delimited text files by using the Import Entities from Text to Library tool. Use the Import Templates as blank text files for creating your own import data files.

Freeware Libraries

MS Telecom Entity Library is a sample PTA library (thl file) that contains basic assets, vulnerabilities, threats and countermeasures relevant to telecom/billing/call accounting Web based solutions in Microsoft platform.

PTA ISO 27001 library (revised: September 2007) provides an efficient tool for performing ISO 27001 2005 risk assessment audits. The zipped package contains the ISO27001.3_Library (thl file) - a PTA library that can be used as a source of entities to build a threat model from scratch and the ISO27001.3_Base_Model (thm file) sample threat model which demonstrates the use of the PTA ISO27001 library. Also included an Excel version of the ISO27001 standard's original checklist.

PTA for PCI DSS 1.1 (revised: September 2007) is not just another compliance checklist - it is a great way for any merchant to protect customer payment card data and their business availability. Extract the zip file into a dedicated folder - it contains a baseline threat model, a PTA library and all the relevant PCI standard documentation organized as PTA attached documents. The PCI_DSS_1.1_Base_Model (thm file) is intended for use in self-assessments by PCI risk assessors. The PCI_DSS_1.1_Library (thl file) can be used by PTA professionals in order to integrate PCI DSS entities into their existing threat models and create an integrated risk model for the entire enterprise.

The PTA Professional Forum contains several articles which demonstrate how Information Security professionals use PTA libraries and threat models in real life cases. Read More > on how to:

• Use the PTA for PCI DSS 1.1 package for performing PCI compliance self assessments
• Utilize the PTA ISO 27001 library for building ISO 27001 base line threat models
• Mitigate organization internal threats with PTA recommendations
• Develop a risk reduction methodology for handling legacy software
• Map PTA along with the chronology of the penetration testing process
• Integrate PTA with the industry standard Nessus scanner

***

Threat Analysis Methodology in-depth  -   Articles from PTA Professional Forum
Home Page