PTA Technologies - Practical Threat Analysis, Threat Modeling and Risk Assessment for Software Systems

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <h1 align="center"><font face="Verdana" size="1">Practical Threat Analysis Documents & Samples</font></h1> <h3 align="center"><font size="1" face="Verdana">PTA Documentation</font></h3> <h3 align="left"><font face="Verdana" size="1">Methodology</font></h3> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/PTA_InANutshell.pdf">PTA Methodology in a Nutshell</a> gives a short description of the Practical Threat Analysis process.<br> <a target="_blank" href="Documents/PTA_for_Software.pdf">Practical Threat Analysis for Securing Systems</a> is an in-depth description of the PTA methodology, theory definitions and analysis steps (also available in <a target="_blank" href="Documents/PTA_for_Software.doc">DOC</a>).<br> <a target="_blank" href="Documents/EnterpriseSoftware_RiskReduction.pdf">Risk Reduction Methodology for Legacy Software</a> presents practical ideas on using PTA in mitigating defects in enterprise legacy software systems (with the courtesy of <a target="_blank" href="http://www.software.co.il">Software Associates</a>).  </font></p> <h3 align="left"><font face="Verdana" size="1">Case Studies: Threat Modeling and Calculative Risk Assessment</font></h3> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/CallAccountingCaseStudy.pdf">Risk Assessment of a Call Accounting Enterprise System</a> describes the threat modeling and calculative risk assessment process of real-life case study of an enterprise call accounting solution.<br> <a target="_blank" href="Documents/PassportCaseStudyIntro.pdf">Microsoft Passport Case Study</a> gives the threat model of Microsoft Passport single sign-on protocol based on the excellent paper "Risks of the Passport Single Signon Protocol" by David P. Kormann and Aviel D. Rubin.</font></p> <h3 align="left"><font face="Verdana" size="1">PTA Software Technology and Tools</font></h3> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/PTAforOEM.pdf">PTA Technology for Consultants, Manufacturers and Security Solutions Providers</a> gives a short description of the technology building blocks available for integration with security products and services.<br> <a target="_blank" href="Documents/PTA-leaflet.pdf">PTA Software Tool</a> is a short leaflet of the PTA Professional Edition tool.<br> <a target="_blank" href="Documents/PTAPresentation.pdf">PTA Professional Edition Presentation</a> presents the main practical threat analysis steps combined with screenshots of the PTA desktop tool.<br><a target="_blank" href="Documents/PTAPro.pdf">PTA Professional Edition</a> is a detailed list of the PTA desktop tool features.<br> <a target="_blank" href="Documents/PTA_Calculative_Tool.pdf">Threat Modeling with PTA</a> explains how PTA supports the Practical Threat Analysis process.<br> <a target="_blank" href="Documents/PTAReports.pdf">PTA Reports</a> describes some of PTA outcomes and reports.<br> <a target="_blank" href="Documents/PTAEnterprise.pdf">PTA for the Enterprise</a> is a detailed list of the server-based enterprise solution features.<br> <a target="_blank" href="Documents/PTALibraries.pdf">PTA Libraries</a> a list of security checklists available as part of PTA OEM private labeling offering.<br>  </font></p> <h3 align="left"><font face="Verdana" size="1">PTA Reports</font></h3> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/PTACurrencySample.pdf">PTA Reports Samples</a> gives a the outcomes of a threat analysis of a sample computerized system for publishing the daily currency exchange rates.<br> <a target="_blank" href="Documents/PTA-monitor.pdf">PTA System Monitor</a> is a screen shot of the main system security monitor of the currency exchange sample.</font></p> <h3 align="left"> </h3> <h3 align="center"><font size="1" face="Verdana">PTA Sample Projects and Freeware Libraries</font></h3> <p align="center"> </p> <p><font face="Verdana" size="1">The sample projects and repository free libraries are packed in WinZip archives which contain the relevant threat models and additional documents. After downloading an archive, please extract the files to a dedicated folder according to your convenience and than invoke PTA* and open the relevant thm or thl file using the File / Open PTA Project dialog.<br> <b><br> *</b>Note: to view the threat model or library you should have <a target="main" href="NewsFrameset.htm?page=DownloadFrameset.htm">PTA Software Tool Installed</a> on your computer.</font></p> <h3 align="left"><font face="Verdana" size="1">Sample Projects</font></h3> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/CallAccountingCaseStudy.zip">Call Accounting Case Study</a> is a threat analysis project (tml file) of a Web based call accounting solution.<br> <a target="_blank" href="Documents/PassportCaseStudy.zip">Passport Case Study</a> is the threat model project (tml file) of MS Passport security protocol.<br> <a target="_blank" href="Documents/CurrencyRates.zip">Currency Rates</a> is a the threat analysis project (tml file) of a small sample system.</font></p> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/ImportText.zip">Import Text</a> are sample text files for demonstrating the import of threat model entities from comma delimited text files by using the Import Entities from Text to Library tool. Use the <a target="_blank" href="Documents/ImportTemplates.zip">Import Templates</a> as blank text files for creating your own import data files.</font></p> <h3 align="left"><font face="Verdana" size="1">Freeware Libraries</font></h3> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/MSTelecomLibrary.zip">MS Telecom Entity Library</a> is a sample PTA library (thl file) that contains basic assets, vulnerabilities, threats and countermeasures relevant to telecom/billing/call accounting Web based solutions in Microsoft platform.</font></p> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/PTA_ISO27001_Library.zip">PTA ISO 27001 library</a> (revised: September 2007) provides an efficient tool for performing ISO 27001 2005 risk assessment audits. The zipped package contains the <b> ISO27001.3_Library </b>(thl file) - a PTA library that can be used as a source of entities to build a threat model from scratch and the <b>ISO27001.3_Base_Model </b>(thm file) sample threat model which demonstrates the use of the PTA ISO27001 library. Also included an Excel version of the ISO27001 standard's original checklist. </font></p> <p><font face="Verdana" size="1"> <a target="_blank" href="Documents/PCI_DSS_1_1.zip">PTA for PCI DSS 1.1</a> (revised: September 2007) is not just another compliance checklist - it is a great way for any merchant to protect customer payment card data and their business availability. Extract the zip file into a dedicated folder - it contains a baseline threat model, a PTA library and all the relevant PCI standard documentation organized as PTA attached documents. The <b>PCI_DSS_1.1_Base_Model </b>(thm file) is intended for use in self-assessments by PCI risk assessors. The <b>PCI_DSS_1.1_Library </b>(thl file) can be used by PTA professionals in order to integrate PCI DSS entities into their existing threat models and create an integrated risk model for the entire enterprise.</font></p> <p align="left"><font face="Verdana" size="1">The <a target="content" href="CommentsFrameset.htm">PTA Professional Forum</a> contains several articles which demonstrate how Information Security professionals use PTA libraries and threat models in real life cases. <a target="content" href="CommentsFrameset.htm">Read More ></a> on how to:</font></p> <ul> <li><font face="Verdana" size="1">Use the PTA for PCI DSS 1.1 package for performing PCI compliance self assessments</font></li> <li><font face="Verdana" size="1">Utilize the PTA ISO 27001 library for building ISO 27001 base line threat models</font></li> <li><font face="Verdana" size="1">Mitigate organization internal threats with PTA recommendations</font></li> <li><font face="Verdana" size="1">Develop a risk reduction methodology for handling legacy software</font></li> <li><font face="Verdana" size="1">Map PTA along with the chronology of the penetration testing process</font></li> <li><font face="Verdana" size="1">Integrate penetration testing output with PTA</font></li> </ul> <p align="center"><font face="Verdana" size="1"> <br> ***</font></p> <p align="center"><font face="Verdana" size="1"> <br> <a target="content" href="PTA.htm"><b> Threat Analysis Methodology in-depth</b></a>  -   <b> <a target="content" href="CommentsFrameset.htm">Articles from PTA Professional Forum </a> </b><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></p> </body>