Latest Update: Version 1.54 Build 1205 - June 16, 2008.
Build 1205 - Download Latest Cumulative Update - June 16, 2008
If PTA is already installed on your computer, we strongly recommend that you keep it up-to-date by downloading a free cumulative update with the latest improvements and bug fixes (3.9MB size; less than 1 minute download time).
Build 1205 introduces the Model Completeness report. The new self-diagnosis report is intended to help in assessing the completeness and robustness of the current PTA threat model. For each of the model's entity types (Threats, Assets, Vulnerabilities and Countermeasures) it displays a table with a checklist of conditions which the entity should fulfill in order to be part of a 'well behaved' threat model.
Thanks to Adi and Pryn for their creative ideas and their great help in the development of the new report. Read more on how to self diagnose your threat model with the new Model Completeness report.
Build 1205 is fully compatible with all existing PTA threat models and libraries versions.
If this is your first time with PTA, you are invited to visit our download area and get a full version of the PTA Professional Edition tool. The trial period enables you to use the software for 30 days.
Download Full Version of PTA Professional Edition Tool
Build 1204 - Fix more Vista issues
Build 1204 contains important GUI bug fixes and solutions to several Vista compatibility issues. As of this built the support for screen resolution of 800 * 600 was omitted in order to enable better organization of threat model entities information in the data entry windows. PTA is best viewed in 1280 * 1024 screen resolution with large font size (120 DPI). Also supported 1280 * 1024 screen resolution with normal font size (96 DPI) and 1024 * 768 screen resolution with normal font size (96 DPI).
In addition, build 1204 contains several usability improvements in the Threat Builder tool - thanks to Laura Wood from Meet Tech for her kind contribution on this issue. Many thanks to Martin for his remarks regarding inaccuracies in the PTA Help documentation (fixed :-) as well as to Pryn and Boris for their help in debug and testing of the PTA Reports system.
Build 1203 - Updated Code Signing Certificate
Build 1203 contains an updated code signing certificate (issued by VeriSign, Inc) that replaces the older certificate which has been expired on 19 December 2007. Users who encountered difficulties in running PTA after this date are urged to download and install the latest cumulative update.
Build 1202 - Compatibility with Windows Vista Ultimate 32 and 64 bit versions
As of build 1202, PTA can run on Windows Vista Ultimate 32 and 64 bit versions. On the Vista 64 bit, PTA is automatically installed under the Program Files (x86) folder.
The updated version contains usability enhancements which tend to improve the 'select from lists' GUI activities by restoring the latest selected entity position in each list. We hope it will increase productivity when building large threat models via the data entry screens. Thanks to Serne Daniele from the University of Wisconsin and to David Benge for raising the issue.
In addition, build 1202 contains important fixes for bugs such as crash of the Status Screen graph displays and the freeze of the Optimized Risk Reduction Plan report configuration screen under Vista - thanks to Steve Lang from NoHow for his published tip on these issues.
Many thanks to Jan Wellergard from Teliasonera and and K. Greenberg from Terminal Desk for their efforts and dedication in debugging installation problems and for their contribution to the PTA Support knowledge base.
Build 1201 - Bug fix in Threat List and Threat Details screens
Build 1201 contains an important bug fix in the Threat List and Threat Details screens which caused, in some scenarios, loss of threat model information when not explicitly saved by user prior to exiting PTA - our thanks to Steve Gilmore from Frontier for his accurate report on this issue.
In addition, build 1201 contains numerous GUI fixes and usability enhancements. Many thanks to Richi, Bruce, Francesco and Axel as well as to hundreds of the PTA Free Program community members who keep sending us their important comments which help us constantly improve PTA. Special thanks to Juan and Sahin for their great help in following up with bug reports and testing.
Build 1200 - Bug fix in ROSI Report
Build 1200 contains a major bug fix in the Mitigation Plans by ROSI report which caused the report to crash when the number of countermeasures in mitigation set exceeded 32 - thanks to Paul Drennon from the Virginia Department of General Services for his note on this issue and for his great help in debuging. The latest fix also corrects a rounding problem which caused inaccuracies in ROSI calculations on large threat models.
Build 1200 also provides substantial performance improvements which reduce the execution time of the Optimized Risk Reduction Plan report on large threat models - thanks to Mark Weiger and NJ Raval for their intensive help on this matter.
In addition, build 1200 contains GUI fixes and usability enhancements which improve paging of large entity lists and navigating between the application's screens. Many thanks to Steve, Mohan, Jason, Jeff, Yan, Govin and Evzen for your contribution and notes.
Build 1199 - Bug fix in import Entities from Text to Library
Build 1199 contains a bug fix and changes in the Import Entities from Text to Library tool - thanks to Eli Moran from Control Policy Group for his instructive remarks.
Build 1199 also provides several GUI fixes and improvements gathered from users by our support team. Thank you Jacob, Claude and Tajeshwar for your notes.
Build 1198 - Bug fix in the report viewer
Build 1198 contains a bug fix in the report viewer which caused a sluggish response time when navigating large scale reports with a few hundred pages. Thanks to Adam Williams of Jayson Group for his note on this issue. Some of the report graphics were improved in order to enhance readability and paging.
Build 1198 also provides revised threat model samples with updated documentation and additional entities. Thanks to Dalya and Yair for their contribution.
Build 1197 - Updated code signing certificate
An updated code signing certificate (issued by VeriSign, Inc) that replaces the older certificate which has expired and was revoked on 16 November 2006. Users who encountered difficulties in running PTA after this date are urged to download and install the latest cumulative update.
Build 1197 also provides a revised Help file with updated documentation and additional FAQ content. Thanks to Greg Duval of the Queensland Dept of Health for drawing our attention to this issue.
Build 1196 - Introduce a new Detailed Countermeasures report
A new Detailed Countermeasures report is introduced. The report presents a list of detailed countermeasures records sorted by the order of their theoretical cost-effectiveness. In addition, the structure of the Documents repository which may contain additional information relevant to the threat analysis entities was enhanced. Up to 999 documents of various types can now be attached to a single entity at any step of the threat analysis process. Many thanks to Alex, Gregory and Ed as well as to all of our devoted users for their continuous contribution to the polishing and improvement of PTA.
Build 1196 also introduces several important UI fixes and usability improvements such as sorting of entity lists according to column fields, improved scrolling and an implementation of an automatic 'behind the scene' backup mechanism of the threat model database.
Important NOTE: the Microsoft STRIDE classification scheme (Spoofing, Tampering, Repudiation, Denial of service and Elevation of privilege) was REMOVED from PTA. These threats' descriptive attributes were found by most of our users to be unpractical for their risk assessment sessions and were not smoothly interlaced with PTA's quantitative approach. Thanks to Naftaly Geffen of KPMG for his instructive remark on this issue.Build 1195 - Introduce the Import Entities from Text to Library tool
A new Import Entities from Text to Library tool for importing data of threat model entities from comma delimited text files. The import text feature enables partial automating of the threat analysis process. Analysts can now combine the output lists of standard pentest tools (such as scanners) with the PTA calculative model. Many thanks to skillz from SecGuru for his excellent description of the penetration testing routines and for his creative comments which have initiated the development of this tool. Read more on mapping PTA along with the penetration testing workflow.
Build 1194 - Display Project File Name in the Application Caption
As of build 1194, the file name of the threat model project is displayed in the caption of the application window instead of the project's name. The full path of the project database file (a thm or a thl file) is displayed in the 'Project Properties' window. Thanks to Omri, Roberto and Jeffrey for their notes - we hope the change will facilitate the management of multiple threat model projects.
Build 1194 also contains some important bug fixes - thanks to Patricia Pollet from Alcatel for sending us detailed bug lists and to Keith Maxon from Ameriquest Mortgage for his help in debugging an annoying installation problem - thank you all for your cooperation and good will.
Build 1193 - Support Annual Rate of Occurrence (ARO)
Threat Probabilities are now presented and entered in a form that is compatible with the classical Annual Rate of Occurrence (ARO) described by Mick Bauer in his excellent article: "Practical Threat Analysis and Risk Management" - again, many thanks to Owen Crow from BMC Software for his remarks on this issue. The update is backwards compatible and will not conflict with your existing threat model projects.
Build 1192 - Fix a Rounding Bug in Calculating VAR
Important bug fix that solves a problem of inaccurate rounding in the calculation of the 'Value At Risk' of threats. The erroneous outcome stands out especially in cases where the difference between assets values is relatively big - many thanks to Owen Crow from BMC Software for pointing this problem to us.
Build 1191 - UI bug fixes
Important UI bug fixes such as screen flickering when browsing through threat model entities and problems in reports viewer resizing. Thanks to Asaff Harel for his help in debugging these issues.
Build 1190 - Add ROSI Support
The new Mitigation Plans by ROSI (Return On Security Investment) report produces a list of mitigation plans sorted by their ROSI value. The ROSI (Return On Security Investment) value for a mitigation plan is a popular quantitative criterion for comparing security solutions. It is defined by the following formula:
(∑Value at Risk * (Mitigation Level/100)) – Mitigation Cost
ROSI = ---------------------------------------------------------------- * 100
Mitigation Cost
∑ - summation over all threats mitigated by the specific mitigation plan
Value at Risk (AKA Risk Exposure or ALE - Annual Loss Expectancy) is the threat’s damage multiplied by the threat's probability which expresses the number of times the threat will materialize per year (ARO).
Mitigation Level is the estimated level (in percents) of mitigation that the threat’s mitigation plan provides.
Mitigation Cost is the cost per year of implementing all countermeasures in the threat’s mitigation plan.
To determine the return on security investment (ROSI) we simply subtract the annual cost of the security mitigation solution from what we expect to lose in a year and present the result in percents. Negative ROSI values imply that the investment in the countermeasures is not well justified from a financial point of view. The processing may take several minutes for threat models with large number of entities.Many thanks to Doug Staubach from Matrix Bancorp for his feedback on this issue.
Build 1189 - System Risk value can exceed system’s Total Assets Value
Fixed a bug in the PTA calculative engine. The value of the System Risk, calculated by summing the risk to each of the system’s assets, is now presented in percents relative to the overall value of all assets. Note that the value can exceed 100%. It is clear that the actual damage to the system’s assets cannot exceed 100%; however, the risk level does not express the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats to the system, and since neither the number of threats nor their severity is limited, the risk quantities are no longer limited to 100%.
For the user’s convenience, a marker line indicating the 100% risk level was added to the system risk status history graph.
Build 1188 - No need to define a specific Mitigation Level of each of the countermeasures in a Threat Mitigation Plan
The definition of a threat mitigation plan was slightly changed. It is now defined as “a subset of the recommended countermeasures associated with a threat, which in order to be efficient, has to be implemented as a whole.” A threat mitigation plan is said to be implemented only if all of its countermeasures are implemented.
The change is intended to facilitate the process of defining threat mitigation plans. The user has only to mark a specific countermeasure as included (or not included) in the plan set and is liberated from the burden of deciding upon the specific relative mitigation level of each of the countermeasures as was required in previous builds.
Note that the analyst is still asked to enter the threat’s mitigation level which is the level of the overall mitigation provided by the threat’s mitigation plan to the risk posed by that threat.
Build 1187 - Improved Optimized Risk Reduction Plan report
A new ‘greedy’ algorithm provides improved processing time of the Optimized Risk Reduction Plan report for medium/large threat models. The report produces a recommended sequence of mitigation steps that will reduce the system’s risk to a given target level in the most cost-effective way.
Note that ALL countermeasures in a given step should be implemented in order to achieve the step’s contribution to risk reduction. The contribution of each step in the plan to risk reduction is accurate only if all steps preceding it are implemented. Therefore, in order to achieve the target risk level, all countermeasures in the outcome sequence should be implemented. In case of partial implementation, the optimization should be run again in order to create an updated sequence that reflects the current system status.
Build 1186 - Exclude Threat Model entities from Risk Calculation with one click.
A new Exclude from Calculation feature is applicable for the main threat model entities: assets, vulnerabilities, threats and countermeasures. The analyst can now exclude any entity from the threat model and the risk calculation by just checking the ‘Temporarily Excluded’ checkbox in the details screen of the entity.
The information of excluded entity is kept in the database but is not taken into account in PTA calculations and in the presentation of the threat model entities interrelations. The excluded entity can be easily reactivated by un-checking the ‘Temporarily Excluded’ checkbox. The analyst can take advantage of this feature in simulating what-if scenarios such as ‘Let’s see the impact of the following countermeasures on the risk level of the analyzed system’ etc..
Build 1185 - Revised Help and Documentation
The build provides an improved Help file with links to the updated on-line Documentation section in PTA Technologies web site. Thanks Naama for your dedication in polishing the texts.
Build 1184 - GUI Improvements in Entity Details screens
GUI changes are introduced in main entity details screens (Assets, Vulnerabilities , Threats and Countermeasures) to improve usability and enhance data-entry. Thank you Kami and Russ for the useful comments and recommendations - cheers.
Build 1183 - Omit Support for WIN 98/WIN ME
Support for WIN 98/WIN ME was omitted in order to reduce the PTA installation package size (now smaller in 30%) and decrease download time. PTA is now compatible only with Windows XP + SP2 or higher, Windows 2000 + SP4 + latest rollout updates and Windows Server 2003 + SP1 or higher.
PTA is now best viewed in 1024 * 768 screen resolution with normal font size. Also supported 1280 * 1024 with large fonts and 800 * 600 with normal font size.
Build 1182 - Enhanced reusable Expertise Security Libraries
As of version 1.41 we added support to managing additional types of Security Expertise Library entities such as Attacker Types, Entry Points, Tags and Attached Documents that were found very productive in enhancing the basic PTA quantitative threat model, whose fundamental entities are Assets, Vulnerabilities, Threats and Countermeasures.
Build 1181 - Change in PTA Database Schema
A major change was introduced to the internal data base scheme in order to enhance performance and calculations. The change is backwards compatible and will not conflict with your existing threat model projects.
Build 1180 - Improved Reports Viewer
The Reports Viewer was enhanced to support Zoom In and Zoom Out of the content of the displayed report.
In addition, a notorious bug which prohibited sending a report as an email attachment via non-English versions of Office Outlook was fixed. Thank you Dimitrios for your help in hitting this problem.
Build 1179 - Revised Countermeasures Cost-Effectiveness report
The revised report produces a list of countermeasures sorted by their theoretical cost-effectiveness, based on the assumption that all countermeasures will be implemented. Since this assumption is, in most cases, not practical, it is recommended to complement the results of this report with the “Optimized Risk Reduction Plan” report.
For each countermeasure, the report displays calculative parameters such as cost-effectiveness, implementation cost and the overall mitigation level of the specific countermeasure. It also displays a list of the vulnerabilities mitigated by each countermeasure.
Build 1178 - Revised System's Status screen
The System's Status screen now provides direct links for viewing the current threat model entities lists. For viewing the various lists just click the entities titles on the upper left side of the monitor.
The updated number of records for each entity is displayed on the right side of each title and will be automatically updated when you add or remove an entity.
Build 1178 also contains important bug fixes - thanks to Lau Kam Hing Keith from ASTRI for his feedback.
Build 1177 - a new Top Threats by Current Risk report
The new Top Threats by Current Risk report produces a chart of top risk threats, sorted by the order of their current risk level. The threats' names and their risk values in $ are displayed above the chart.
Many thanks to Francis, Adam and Bruno as well as to the many PTA users that share with us their requests and insights regarding the future features of PTA.
Build 1176 - Extended support in export of reports data
Build 1176 contains extended support in export of reports data. In addition to the existing support in export to all types of Text Files (txt, csv, tab, asc) and RTF format, PTA reports data can now also be exported to Microsoft Excel 5-7 / 97-2007 (XLS), HTML Documents (HTM, HTML) and Snapshot Files (SNP) formats.
Use the ‘Export Report’ button in the report viewer tool bar to select the format and name of the destination export file.Build 1175 - Portable Security Expertise Libraries
The new Load Entities from Library tool enables loading threat model entities data from PTA entity libraries into the currently opened PTA project. The PTA Security Expertise Libraries enable domain experts to package and distribute their business process knowledge and threat models. The load entities mechanism enables a risk analysis solution to be easily tailored to specific business requirements by the customer himself or by a customer working with a consultant.
The open architecture of PTA enables you to easily build your own Security Expertise Libraries – all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA automatically organizes the various entities in standalone lists that can be easily integrated into new or existing analysis projects using the new ‘Load from Library’ tool. You have full control on the nature and the contents of the libraries - they can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards.
In order to load the entities simply select the source entity library (usually a thl file) which contains the entities you wish to load to the current project. The library's entities are displayed in lists of Assets,
Vulnerabilities, Countermeasures and Threats.Build 1174 - Introduce the Threat Builder tool
The new Threat Builder tool enables quick composing of threat scenarios and establishing interrelations between threats and their associated assets, vulnerabilities and countermeasures (see Building Threats for detailed explanation on threat composition).
In addition, a new case study of a threat analysis for an enterprise call accounting solution was added to the distribution of PTA. The threat analysis project (tml file) of a Web based call accounting solution can also be downloaded from here: Call Accounting Case Study. Many thanks to Yuval and Danny Lieberman for their great contribution and continuous support.
Build 1173 - Introduce the Optimized Risk Reduction analysis report
The Optimized Risk Reduction Plan report produces a recommended sequence of mitigation steps that will reduce the system's risk to a given target level in the most cost-effective way. Each step in the plan is comprised of countermeasures that should be implemented in order to achieve the step's contribution to risk reduction. Notes:
1. The optimization mechanism starts from the current status of countermeasures implementation - countermeasures marked as 'already implemented' will not be assigned to the proposed risk reduction plan. The processing may take several minutes for systems with large number of entities.
2. If the implementation cost of a countermeasure is not specified, the default cost value is determined as 1$.
3. The target risk level should be between the system's maximal risk and the system's minimal risk levels.
4. All countermeasures in a given step should be implemented in order to achieve the step's contribution to risk reduction.
5. The contribution of each step in the plan to risk reduction is accurate only if all steps preceding it are implemented. Therefore, in order to achieve the target risk level, all countermeasures in the outcome sequence should be implemented. In case of partial implementation, the optimization should be run again in order to create an updated sequence that reflects the current system status.
Build 1172 - Introduce the Tags and Attached Documents entities
The new Tags and Attached Documents entities add descriptive fields and additional information to the threat model. Note: the new entities are not mandatory for the PTA threat model.
Tags are free-text descriptive attributes associated with the threat model entities (assets, threats, vulnerabilities and countermeasures). Tags help the analyst classify the various model entities and improve their comprehensibility.
The documents repository contains additional unstructured information relevant to the threat analysis entities and process. For example: security notes, standards specifications, development ideas, design schemes etc. Documents can be attached to specific model entities at any step of the threat analysis process.
Many thanks to Yuval Hamuz-Cohen from TovTV for his great help in debug and for his inspiring notes regarding GUI issues.
Build 1171 - Add 'Help on Current Screen' option
Important GUI bugs were fixed. In addition, the new Help on Current Screen option provides a context sensitive help window with help topics relevant to the currently opened screen (click the question mark button at the PTA toolbar file).
Thanks to Vadim Agranovich from Yugbank for sending us his comments and to Rocky Heckman from RockyH for his kind encouragement.
Build 1170 - Initial version PTA Professional Edition
Build 1170 is the initial release of PTA Professional Edition version 1.00 which implements the Risk Calculator quantitative engine of the PTA (Practical Threat Analysis) technology. The application also implements the PTA threat model database, associates threats and vulnerabilities with business assets and evaluates system risks in monetary terms. PTA Professional Edition is a desktop application that can be downloaded and installed in less than 5 minutes.
Free Program for Students, Researchers and Independent Security Consultants
PTA is free of charge for students, researchers, software developers and independent security consultants. You may submit your request to participate in our free program by sending us an email with the following registration details:
1) First and Last Name:
2) Address:
3) Phone:
4) Email:
5) Organization / College / University:
6) Job Title / Position / Academic Level:
7) The area of your profession:
As soon as we process your registration details we shall send you an unlock key that enables you to extend the usage period of PTA. Read More>
***