PTA Technologies - Practical Threat Analysis, Threat Modeling and Risk Assessment for Software Systems

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <blockquote> <h1 align="center"><font face="Verdana" size="1">PTA Professional Edition Updates</font></h1> <p align="center"><font face="Verdana" size="1"><b>Latest Update</b>: Version 1.54 Build 1205 - <b>June 16, 2008</b>.</font></p> <blockquote> <p> </p> <h3 align="left"> <font face="Verdana" size="1"> <a href="http://www.software.co.il/ptadownload/pta1205u.exe">Build 1205 - Download Latest Cumulative Update - June 16, 2008</a></font></h3> <p><font face="Verdana" size="1"><b>If PTA is already installed on your computer</b>, we strongly recommend that you keep it up-to-date by <a href="http://www.software.co.il/ptadownload/pta1205u.exe">downloading a free cumulative update</a> with the latest improvements and bug fixes (3.9MB size; less than 1 minute download time). </font></p> <p><font face="Verdana" size="1">Build 1205 introduces the <b>Model Completeness</b> report. The new self-diagnosis report is intended to help in assessing the completeness and robustness of the current PTA threat model. For each of the model's entity types (Threats, Assets, Vulnerabilities and Countermeasures) it displays a table with a checklist of conditions which the entity should fulfill in order to be part of a 'well behaved' threat model. Thanks to Adi, <i>Pryn</i> for their creative ideas and their great help in the development of the ne report. Read more on how to <a target="content" href="CommentsFrameset.htm">self diagnose your threat model with the new Model Completeness report.</a><br>  </font></p> <p><font face="Verdana" size="1">Build 1205 is fully compatible with all existing PTA threat models and libraries versions.</font></p> <p><font face="Verdana" size="1"><b>If this is your first time with PTA</b>, you are invited to visit our <a target="main" href="NewsFrameset.htm?page=DownloadFrameset.htm">download area</a> and get a full version of the PTA Professional Edition tool. The trial period enables you to use the software for 30 days.</font></p> </blockquote> <blockquote> <p></p> <h3 align="left"><font face="Verdana" size="1"><a target="content" href="DownloadFrameset.htm">Download Full Version of PTA Professional Edition Tool</a></font></h3> <p align="left"> </p> <p></p> </blockquote> <h1 align="center"><font face="Verdana" size="1">PTA Version Updates History</font></h1> <p align="center"> </p> <blockquote> <h3><font face="Verdana" size="1">Build 1204 - Fix more Vista issues</font></h3> <p><font face="Verdana" size="1">Build 1204 contains important GUI bug fixes and solutions to several Vista compatibility issues. As of this built the <b> support for screen resolution of 800 * 600 was omitted </b>in order to enable better organization of threat model entities information in the data entry windows. PTA is best viewed in 1280 * 1024 screen resolution with large font size (120 DPI). Also supported 1280 * 1024 screen resolution with normal font size (96 DPI) and 1024 * 768 screen resolution with normal font size (96 DPI).</font></p> <p><font face="Verdana" size="1">In addition, build 1204 contains several usability improvements in the <b>Threat Builder</b> tool - thanks to <i> Laura Wood</i> from Meet Tech for her kind contribution on this issue. Many thanks to <i>Martin </i>for his remarks regarding inaccuracies in the <b>PTA Help</b> documentation (fixed :-) as well as to <i>Pryn</i> and <i> Boris</i> for their help in debug and testing of the <b>PTA Reports</b> system.</font></p> <h3><font face="Verdana" size="1">Build 1203 - Updated Code Signing Certificate</font></h3> <p><font face="Verdana" size="1">Build 1203 contains an updated <b>code signing certificate</b> (issued by VeriSign, Inc) that replaces the older certificate which has been <b>expired</b> on 19 December 2007. Users who encountered difficulties in running PTA after this date are <b>urged</b> to download and install the latest cumulative update. </font></p> <h3><font face="Verdana" size="1">Build 1202 - Compatibility with Windows Vista Ultimate 32 and 64 bit versions</font></h3> <p><font face="Verdana" size="1">As of build 1202, PTA can run on <b>Windows Vista Ultimate </b>32 and 64 bit versions. On the Vista 64 bit, PTA is automatically installed under the Program Files (x86) folder. </font></p> <p><font face="Verdana" size="1">The updated version contains usability enhancements which tend to improve the 'select from lists' GUI activities by restoring the latest selected entity position in each list. We hope it will increase productivity when building large threat models via the data entry screens. Thanks to <i>Serne Daniele</i> from the University of Wisconsin and to <i>David Benge</i> for raising the issue.   </font></p> <p><font face="Verdana" size="1">In addition, build 1202 contains important fixes for bugs such as crash of the <b>Status Screen</b> graph displays and the freeze of the <b>Optimized Risk Reduction Plan</b> report configuration screen under Vista - thanks to <i>Steve Lang</i> from NoHow for his published tip on these issues. </font></p> <p><font face="Verdana" size="1">Many thanks to <i>Jan Wellergard</i> from Teliasonera<i> and </i>and <i>K. Greenberg </i>from<i> </i>Terminal Desk for their efforts and dedication in debugging installation problems and for their contribution to the <a target="content" href="SupportFrameset.htm">PTA Support </a>knowledge base.</font></p> <h3><font face="Verdana" size="1">Build 1201 - Bug fix in Threat List and Threat Details screens</font></h3> <p><font face="Verdana" size="1">Build 1201 contains an important bug fix in the <b>Threat List </b>and<b> Threat Details </b>screens which caused, in some scenarios, loss of threat model information when not explicitly saved by user prior to exiting PTA - our thanks to <i>Steve Gilmore</i> from Frontier for his accurate report on this issue.   </font></p> <p><font face="Verdana" size="1">In addition, build 1201 contains numerous GUI fixes and usability enhancements. Many thanks to <i>Richi, Bruce, Francesco </i>and<i> Axel </i>as well as to hundreds of the PTA Free Program community members who keep sending us their important comments which help us constantly improve PTA. Special thanks to <i>Juan</i> and <i> Sahin</i> for their great help in following up with bug reports and testing.</font></p> <h3><font face="Verdana" size="1">Build 1200 - Bug fix in ROSI Report</font></h3> <p><font face="Verdana" size="1">Build 1200 contains a major bug fix in the <b>Mitigation Plans by ROSI</b> report which caused the report to crash when the number of countermeasures in mitigation set exceeded 32 - thanks to <i> Paul Drennon</i> from the Virginia Department of General Services for his note on this issue and for his great help in debuging. The latest fix also corrects a rounding problem which caused inaccuracies in ROSI calculations on large threat models.   </font></p> <p><font face="Verdana" size="1">Build 1200 also provides substantial performance improvements which reduce the execution time of the <b>Optimized Risk Reduction Plan </b>report on large threat models - thanks to <i>Mark Weiger</i> and <i>NJ Raval</i> for their intensive help on this matter. </font></p> <p><font face="Verdana" size="1">In addition, build 1200 contains GUI fixes and usability enhancements which improve paging of large entity lists and navigating between the application's screens. Many thanks to <i>Steve, Mohan, Jason, Jeff, Yan, Govin  </i>and <i>Evzen </i>for your contribution and notes.</font></p> <h3><font face="Verdana" size="1">Build 1199 - Bug fix in import Entities from Text to Library</font></h3> <p><font face="Verdana" size="1">Build 1199 contains a bug fix and changes in the <b> Import Entities from Text to Library</b> tool - thanks to <i>Eli Moran</i> from <a target="_blank" href="http://www.controlpolicy.com/automatingiso27001implementations">Control Policy Group</a></span>  for his instructive remarks. </font></p> <p><font face="Verdana" size="1">Build 1199 also provides several GUI fixes and improvements gathered from users by our support team. Thank you <i> Jacob</i>, <i>Claude</i> and <i>Tajeshwar </i>for your notes.</font></p> <h3><font face="Verdana" size="1">Build 1198 - Bug fix in the report viewer</font></h3> <p><font face="Verdana" size="1">Build 1198 contains a bug fix in the <b> report viewer</b> which caused a sluggish response time when navigating large scale reports with a few hundred pages. Thanks to <i>Adam Williams </i> of Jayson Group<i> </i>for his note on this issue. Some of the report graphics were improved in order to enhance readability and paging.  </font></p> <p><font face="Verdana" size="1">Build 1198 also provides revised threat model samples with updated documentation and additional entities.  Thanks to <i>Dalya </i>and <i>Yair</i> for their contribution.</font></p> <h3><font face="Verdana" size="1">Build 1197 - Updated code signing certificate  </font></h3> <p><font face="Verdana" size="1">An updated <b>code signing certificate</b> (issued by VeriSign, Inc) that replaces the older certificate which has expired and was revoked on 16 November 2006. Users who encountered difficulties in running PTA after this date are <b>urged</b> to download and install the latest cumulative update. </font></p> <p><font face="Verdana" size="1">Build 1197 also provides a revised <b>Help </b>file with updated documentation and additional FAQ content.  Thanks to <i>Greg Duval</i> of the Queensland Dept of Health for drawing our attention to this issue.</font></p> <h3><font face="Verdana" size="1">Build 1196 - Introduce a new Detailed Countermeasures report  </font></h3> <p><font face="Verdana" size="1">A new <b>Detailed Countermeasures</b> report is introduced. The report presents a list of detailed countermeasures records sorted by the order of their theoretical cost-effectiveness. In addition, the structure of the <b> Documents</b> repository which may contain additional information relevant to the threat analysis entities was enhanced. Up to 999 documents of various types can now be attached to a single entity at any step of the threat analysis process. Many thanks to <i>Alex</i>, <i>Gregory</i> and <i>Ed</i> as well as to all of our devoted users for their continuous contribution to the polishing and improvement of PTA. </font></p> <p><font face="Verdana" size="1">Build 1196 also introduces several important UI fixes and usability improvements such as sorting of entity lists according to column fields, improved scrolling and an implementation of an automatic 'behind the scene' backup mechanism of the threat model database. <br> <br> Important NOTE: the Microsoft STRIDE classification scheme (Spoofing, Tampering, Repudiation, Denial of service and Elevation of privilege) was REMOVED from PTA. These threats' descriptive attributes were found by most of our users to be unpractical and were not smoothly interlaced with PTA's quantitative approach. Thanks to <i>Naftaly Geffen</i> of KPMG for his instructive remark on this issue.</font></p> <h3><font face="Verdana" size="1">Build 1195 - Introduce the Import Entities from Text to Library tool  </font></h3> <p><font face="Verdana" size="1">A new <b>Import Entities from Text to Library</b> tool for importing data of threat model entities from comma delimited text files. The import text feature enables partial automating of the threat analysis process. Analysts can now combine the output lists of standard pentest tools (such as scanners) with the PTA calculative model. Many thanks to <i>skillz</i> from <a target="_blank" href="http://www.secguru.com">SecGuru</a> for his excellent description of the penetration testing routines and for his creative comments which have initiated the development of this tool. Read more on <a target="content" href="CommentsFrameset.htm">mapping PTA along with the penetration testing workflow</a>. </font></p> <h3><font face="Verdana" size="1">Build 1194 - Display Project File Name in the Application Caption  </font></h3> <p><font face="Verdana" size="1">As of build 1194, the <b>file name</b> of the threat model project is displayed in the caption of the application window instead of the project's name. The <b>full path of the project database file</b> (a thm or a thl file) is displayed in the 'Project Properties' window. Thanks to <i>Omri</i>, <i>Roberto</i> and <i>Jeffrey</i> for their notes - we hope the change will facilitate the management of multiple threat model projects.</font></p> <p><font face="Verdana" size="1">Build 1194 also contains some important bug fixes - thanks to <i>Patricia Pollet </i>from Alcatel for sending us detailed bug lists and to <i>Keith Maxon</i> from Ameriquest Mortgage for his help in debugging an annoying installation problem - thank you all for your cooperation and good will. </font></p> <h3><font face="Verdana" size="1">Build 1193 - Support Annual Rate of Occurrence (ARO)  </font></h3> <p><font face="Verdana" size="1"><b>Threat Probabilities</b> are now presented and entered in a form that is compatible with the classical <b>Annual Rate of Occurrence</b> (<b>ARO</b>) described by Mick Bauer in his excellent article: "Practical Threat Analysis and Risk Management" - again, many thanks to <i>Owen Crow</i> from BMC Software for his remarks on this issue. The update is backwards compatible and will not conflict with your existing threat model projects.  </font></p> <h3><font face="Verdana" size="1">Build 1192 - Fix a Rounding Bug in Calculating VAR  </font></h3> <p><font face="Verdana" size="1">Important <b> bug fix</b> that solves a problem of inaccurate rounding in the calculation of the '<b>Value At Risk</b>' of threats. The erroneous outcome stands out especially in cases where the difference between assets values is relatively big - many thanks to <i>Owen Crow</i> from BMC Software for pointing this problem to us. </font></p> <h3><font face="Verdana" size="1">Build 1191 - UI bug fixes  </font></h3> <p><font face="Verdana" size="1">Important UI bug fixes such as screen flickering when browsing through threat model entities and problems in reports viewer resizing. Thanks to <i>Asaff Harel </i>for his help in debugging these issues. </font></p> <h3><font face="Verdana" size="1">Build 1190 - Add ROSI Support  </font></h3> <p><font face="Verdana" size="1">The new <b>Mitigation Plans by ROSI</b> (Return On Security Investment) report produces a list of mitigation plans sorted by their ROSI value. The ROSI (Return On Security Investment) value for a mitigation plan is a popular quantitative criterion for comparing security solutions. It is defined by the following formula: <br> <br>             (∑Value at Risk * (Mitigation Level/100)) � Mitigation Cost<br> <b>ROSI</b> = ---------------------------------------------------------------- * 100<br>                                         Mitigation Cost<br> <br> <br> <b>∑</b> - summation over all threats mitigated by the specific mitigation plan<br> <br> <b>Value at Risk</b> (AKA Risk Exposure or ALE - Annual Loss Expectancy) is the threat�s damage multiplied by the threat's probability which expresses the number of times the threat will materialize per year (ARO).<br> <br> <b>Mitigation Level</b> is the estimated level (in percents) of mitigation that the threat�s mitigation plan provides. <br> <br> <b>Mitigation Cost</b> is the cost per year of implementing all countermeasures in the threat�s mitigation plan. <br> <br> To determine the return on security investment (ROSI) we simply subtract the annual cost of the security mitigation solution from what we expect to lose in a year and present the result in percents. Negative ROSI values imply that the investment in the countermeasures is not well justified from a financial point of view. The processing may take several minutes for threat models with large number of entities.</font></p> <p><font face="Verdana" size="1">Many thanks to <i>Doug Staubach </i>from Matrix Bancorp<i> </i>for his feedback on this issue.</font></p> </blockquote> <blockquote> <h3><font face="Verdana" size="1">Build 1189 - System Risk value can exceed system�s Total Assets Value  </font></h3> <p><font face="Verdana" size="1">Fixed a bug in the PTA calculative engine. The value of the <b>System Risk</b>, calculated by summing the risk to each of the system�s assets, is now presented in percents relative to the overall value of all assets. Note that the value can exceed 100%. It is clear that the actual damage to the system�s assets cannot exceed 100%; however, the risk level does not express the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats to the system, and since neither the number of threats nor their severity is limited, the risk quantities are no longer limited to 100%.</font></p> <p><font face="Verdana" size="1">For the user�s convenience, a marker line indicating the 100% risk level was added to the system risk status history graph.</font></p> </blockquote> <blockquote> <h3><font face="Verdana" size="1">Build 1188 - No need to define a specific Mitigation Level of each of the countermeasures in a Threat Mitigation Plan  </font></h3> <p><font face="Verdana" size="1">The definition of a threat mitigation plan was slightly changed. It is now defined as �<b>a subset of the recommended countermeasures associated with a threat, which in order to be efficient, has to be implemented as a whole</b>.� A threat mitigation plan is said to be implemented only if all of its countermeasures are implemented. </font></p> <p><font face="Verdana" size="1">The change is intended to facilitate the process of defining threat mitigation plans. The user has only to mark a specific countermeasure as included (or not included) in the plan set and is liberated from the burden of deciding upon the specific relative mitigation level of each of the countermeasures as was required in previous builds. </font></p> <p><font face="Verdana" size="1">Note that the analyst is still asked to enter the threat�s mitigation level which is the level of the overall mitigation provided by the threat�s mitigation plan to the risk posed by that threat.</font></p> <h3><font face="Verdana" size="1">Build 1187 - Improved Optimized Risk Reduction Plan report </font></h3> <p><font face="Verdana" size="1">A new �greedy� algorithm provides improved processing time of the <b>Optimized Risk Reduction Plan</b> report for medium/large threat models. The report produces a recommended sequence of mitigation steps that will reduce the system�s risk to a given target level in the most cost-effective way.</font></p> <p><font face="Verdana" size="1">Note that ALL countermeasures in a given step should be implemented in order to achieve the step�s contribution to risk reduction. The contribution of each step in the plan to risk reduction is accurate only if all steps preceding it are implemented. Therefore, in order to achieve the target risk level, all countermeasures in the outcome sequence should be implemented. In case of partial implementation, the optimization should be run again in order to create an updated sequence that reflects the current system status. </font></p> <h3><font face="Verdana" size="1">Build 1186 - Exclude Threat Model entities from Risk Calculation with one click.  </font></h3> <p><font face="Verdana" size="1">A new <b>Exclude from Calculation</b> feature is applicable for the main threat model entities: assets, vulnerabilities, threats and countermeasures. The analyst can now exclude any entity from the threat model and the risk calculation by just checking the �Temporarily Excluded� checkbox in the details screen of the entity.</font></p> <p><font face="Verdana" size="1">The information of excluded entity is kept in the database but is not taken into account in PTA calculations and in the presentation of the threat model entities interrelations. The excluded entity can be easily reactivated by un-checking the �Temporarily Excluded� checkbox. The analyst can take advantage of this feature in simulating what-if scenarios such as �Let�s see the impact of the following countermeasures on the risk level of the analyzed system� etc.. </font></p> <h3><font face="Verdana" size="1">Build 1185 - Revised Help and Documentation  </font></h3> <p><font face="Verdana" size="1">The build provides an improved <b>Help </b>file with links to the updated on-line <b>Documentation</b> section in PTA Technologies web site. Thanks <i>Naama</i> for your dedication in polishing the texts.   </font></p> <h3><font face="Verdana" size="1">Build 1184 - GUI Improvements in Entity Details screens  </font></h3> <p><font face="Verdana" size="1">GUI changes are introduced in main entity details screens (Assets, Vulnerabilities , Threats and Countermeasures) to improve usability and enhance data-entry. Thank you <i>Kami</i> and <i>Russ</i> for the useful comments and recommendations - cheers.   </font></p> <h3><font face="Verdana" size="1">Build 1183 - Omit Support for WIN 98/WIN ME</font></h3> <p><font face="Verdana" size="1">Support for WIN 98/WIN ME was omitted in order to reduce the PTA installation package size (now smaller in 30%) and decrease download time. PTA is now compatible only with Windows XP + SP2 or higher, Windows 2000 + SP4 + latest rollout updates and Windows Server 2003 + SP1 or higher.<br> <br> PTA is now best viewed in 1024 * 768 screen resolution with normal font size. Also supported 1280 * 1024 with large fonts and 800 * 600 with normal font size.<br>  </font></p> <h3><font face="Verdana" size="1">Build 1182 - Enhanced reusable Expertise Security Libraries   </font></h3> <p><font face="Verdana" size="1">As of version 1.41 we added support to managing <b>additional types of Security Expertise Library entities</b> such as Attacker Types, Entry Points, Tags and Attached Documents that were found very productive in enhancing the basic PTA quantitative threat model, whose fundamental entities are Assets, Vulnerabilities, Threats and Countermeasures.</font></p> <h3><font face="Verdana" size="1">Build 1181 - Change in PTA Database Schema  </font></h3> <p><font face="Verdana" size="1">A major change was introduced to the internal <b>data base scheme</b> in order to enhance performance and calculations. The change is backwards compatible and will not conflict with your existing threat model projects.  </font></p> <h3><font face="Verdana" size="1">Build 1180 - Improved Reports Viewer </font></h3> <p><font face="Verdana" size="1">The Reports Viewer was enhanced to support <b>Zoom In</b> and <b>Zoom Out</b> of the content of the displayed report. </font></p> <p><font face="Verdana" size="1">In addition, a notorious bug which prohibited sending a report as an email attachment via non-English versions of Office Outlook was fixed. Thank you <i>Dimitrios </i>for your help in hitting this problem.</font></p> <h3><font face="Verdana" size="1">Build 1179 - Revised Countermeasures Cost-Effectiveness report</font></h3> <p><font face="Verdana" size="1">The revised report produces a list of countermeasures sorted by their <b>theoretical cost-effectiveness</b>, based on the assumption that all countermeasures will be implemented. Since this assumption is, in most cases, not practical, it is recommended to complement the results of this report with the �<b>Optimized Risk Reduction Plan</b>� report.<br> <br> For each countermeasure, the report displays calculative parameters such as cost-effectiveness, implementation cost and the overall mitigation level of the specific countermeasure. It also displays a list of the vulnerabilities mitigated by each countermeasure.<br>  </font></p> <h3><font face="Verdana" size="1">Build 1178 - Revised System's Status screen  </font></h3> <p><font face="Verdana" size="1">The <b>System's Status</b> screen now provides direct links for viewing the current threat model entities lists. For viewing the various lists just click the entities titles on the upper left side of the monitor. </font></p> <p><font face="Verdana" size="1">The updated number of records for each entity is displayed on the right side of each title and will be automatically updated when you add or remove an entity.  </font></p> <p><font face="Verdana" size="1">Build 1178 also contains important bug fixes - thanks to <i>Lau Kam Hing Keith </i>from ASTRI for his feedback. </font></p> <h3><font face="Verdana" size="1">Build 1177 - a new Top Threats by Current Risk report  </font></h3> <p><font face="Verdana" size="1">The new <b>Top Threats by Current Risk</b> report produces a chart of top risk threats, sorted by the order of their current risk level. The threats' names and their risk values in $  are displayed above the chart. </font></p> <p><font face="Verdana" size="1">Many thanks to <i>Francis, Adam </i>and <i> Bruno a</i>s well as to the many PTA users that share with us their requests and insights regarding the future features of PTA.</font></p> <h3><font face="Verdana" size="1">Build 1176 - Extended support in export of reports data  </font></h3> <p><font face="Verdana" size="1">Build 1176 contains extended support in export of reports data. In addition to the existing support in export to all types of Text Files (txt, csv, tab, asc) and RTF format, PTA reports data can now also be exported to Microsoft Excel 5-7 / 97-2007 (XLS), HTML Documents (HTM, HTML) and Snapshot Files (SNP) formats. <br> <br> Use the �<b>Export Report</b>� button in the report viewer tool bar to select the format and name of the destination export file.</font></p> <h3><font face="Verdana" size="1">Build 1175 - Portable Security Expertise Libraries  </font></h3> <p><font face="Verdana" size="1">The new <b>Load Entities from Library</b> tool enables loading threat model entities data from PTA entity libraries into the currently opened PTA project. The PTA Security Expertise Libraries enable domain experts to package and distribute their business process knowledge and threat models. The load entities mechanism enables a risk analysis solution to be easily tailored to specific business requirements by the customer himself or by a customer working with a consultant. </font></p> <p><font face="Verdana" size="1">The open architecture of PTA enables you to easily build your own <b>Security Expertise Libraries</b> � all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA automatically organizes the various entities in standalone lists that can be easily integrated into new or existing analysis projects using the new �Load from Library� tool. You have full control on the nature and the contents of the libraries - they can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards.</font></p> <p><font face="Verdana" size="1">In order to load the entities simply select the source entity library (usually a thl file) which contains the entities you wish to load to the current project. The library's entities are displayed in lists of Assets,<br> Vulnerabilities, Countermeasures and Threats.</font></p> <h3><font face="Verdana" size="1">Build 1174 - Introduce the Threat Builder tool  </font></h3> <p><font face="Verdana" size="1">The new <b>Threat Builder</b> tool enables quick composing of threat scenarios and establishing interrelations between threats and their associated assets, vulnerabilities and countermeasures (see <a target="content" href="PTA3.htm">Building Threats</a> for detailed explanation on threat composition).</font></p> <p><font face="Verdana" size="1">In addition, a new case study of a threat analysis for an enterprise call accounting solution was added to the distribution of PTA. The threat analysis project (tml file) of a Web based call accounting solution can  also be downloaded from here: <a target="_blank" href="Documents/CallAccountingCaseStudy.zip">Call Accounting Case Study</a>. Many thanks to <i>Yuval</i> and <i>Danny Lieberman</i> for their great contribution and continuous support.<br>  </font></p> <h3><font face="Verdana" size="1">Build 1173 - Introduce the Optimized Risk Reduction analysis report </font></h3> <p><font face="Verdana" size="1">The <b>Optimized Risk Reduction Plan</b> report produces a recommended sequence of mitigation steps that will reduce the system's risk to a given target level in the most cost-effective way. Each step in the plan is comprised of countermeasures that should be implemented in order to achieve the step's contribution to risk reduction. Notes:</font></p> <p><font face="Verdana" size="1">1. The optimization mechanism starts from the current status of countermeasures implementation - countermeasures marked as 'already implemented' will not be assigned to the proposed risk reduction plan. The processing may take several minutes for systems with large number of entities.<br> <br> 2. If the implementation cost of a countermeasure is not specified, the default cost value is determined as 1$.<br> <br> 3. The target risk level should be between the system's maximal risk and the system's minimal risk levels.<br> <br> 4. All countermeasures in a given step should be implemented in order to achieve the step's contribution to risk reduction.<br> <br> 5. The contribution of each step in the plan to risk reduction is accurate only if all steps preceding it are implemented. Therefore, in order to achieve the target risk level, all countermeasures in the outcome sequence should be implemented. In case of partial implementation, the optimization should be run again in order to create an updated sequence that reflects the current system status.<br>  </font></p> <h3><font face="Verdana" size="1">Build 1172 - Introduce the Tags and Attached Documents entities  </font></h3> <p><font face="Verdana" size="1">The new <b>Tags</b> and <b>Attached Documents</b> entities add descriptive fields and additional information to the threat model. Note: the new entities are not mandatory for the PTA threat model. </font></p> <p><font face="Verdana" size="1">Tags are free-text descriptive attributes associated with the threat model entities (assets, threats, vulnerabilities and countermeasures). Tags help the analyst classify the various model entities and improve their comprehensibility. </font></p> <p><font face="Verdana" size="1">The documents repository contains additional unstructured information relevant to the threat analysis entities and process. For example: security notes, standards specifications, development ideas, design schemes etc. Documents can be attached to specific model entities at any step of the threat analysis process.</font></p> <p><font face="Verdana" size="1">Many thanks to <i>Yuval Hamuz-Cohen </i> from TovTV for his great help in debug and for his inspiring notes regarding GUI issues.  </font></p> <h3><font face="Verdana" size="1">Build 1171 - Add 'Help on Current Screen' option  </font></h3> <p><font face="Verdana" size="1">Important GUI bugs were fixed. In addition, the new <b>Help on Current Screen</b> option provides a context sensitive help window with help topics relevant to the currently opened screen (click the question mark button at the PTA toolbar file).</font></p> <p><font face="Verdana" size="1">Thanks to <i>Vadim Agranovich </i>from Yugbank for sending us his comments and to <i>Rocky Heckman</i> from <a target="_blank" href="http://rockyh.net/">RockyH</a> for his kind encouragement.</font></p> <h3><font face="Verdana" size="1">Build 1170 - Initial version PTA Professional Edition  </font></h3> <p><font face="Verdana" size="1">Build 1170 is the initial release of PTA Professional Edition version 1.00 which implements the <b>Risk Calculator</b> quantitative engine of the PTA (Practical Threat Analysis) technology. The application also implements the PTA threat model database, associates threats and vulnerabilities with business assets and evaluates system risks in monetary terms. PTA Professional Edition is a desktop application that can be downloaded and installed in less than 5 minutes. </font></p> <h3 align="left"> <font face="Verdana" size="1"> <a href="mailto:sales@ptatechnologies.com?subject=I want to join PTA free program for students and independent security consultants"> Free Program for Students, Researchers and Independent Security Consultants</a></font></h3> <p><font face="Verdana" size="1">PTA is free of charge for students, researchers, software developers and independent security consultants. You may submit your request to participate in our free program by <a href="mailto:sales@ptatechnologies.com?subject=I want to join PTA free program for students and independent security consultants"> sending us an email</a> with the following registration details:<br> <br> 1) First and Last Name:<br> 2) Address:<br> 3) Phone:<br> 4) Email:<br> 5) Organization / College / University:<br> 6) Job Title / Position / Academic Level:<br> 7) The area of your profession:<br> <br> As soon as we process your registration details we shall send you an unlock key that enables you to extend the usage period of PTA. <a target="content" href="FreeProgramFrameset.htm">Read More></a><br>  </font></p> </blockquote> <p align="center"> <font face="Verdana" size="1"> ***</font></p> <p align="center"> </p> </blockquote> <p align="center"><font face="Verdana" size="1"><b> <a target="content" href="DownloadFrameset.htm">Download full version of PTA Software Tool</a></b><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></p> </body>