The PTA plug-in libraries architecture enable preparation of security entities checklists that comply with information security standards such as ISO 17799 - BS 7799, ISO 27001/2, NERC/FERC, PCI DSS and many other security compliance standards. Security consultants and experts as well as security service providers can build up libraries with relevant subsets of vulnerabilities, threats, countermeasures and assets that best suit their security management conventions.
Domain-specific libraries contain predefined security entities such as assets, vulnerabilities, threats and countermeasures which are relevant to specific domain e.g. the MS Telecom Entity Library is a sample PTA library (thl file) that contains basic assets, vulnerabilities, threats and countermeasures relevant to telecom/billing/call accounting Web based solutions developed using Microsoft .Net platform. (The library is available for free download at the Practical Threat Analysis Documents page).
Entity libraries can be customized and reused across projects. Customized libraries save the burden of re-entering common entities when building application-specific threat models.
Predefined entity libraries, specific to different platforms, environments, application types and architectures can be easily prepared - for example libraries for Web applications, Linux/Microsoft, SQL/Oracle, banking, telecom and healthcare.
PTA libraries enable preparation of security compliance checklists that comply with information security standards such as ISO 17799 - BS 7799 , ISO 27001/27002 and PCI DSS 1.1 and others. Analyst and consultants can build up relevant subsets of vulnerabilities, threats, countermeasures and assets that best suit their organization's conventions and audit methodology. You are invited to visit the PTA Documents page for a list of the PTA freeware compliance libraries.
The concept of PTA security entities and threat model libraries is the best solution for transforming compliance knowledge and data into effective mitigation actions. Visit the PTA Professional Forum and read more on how to convert standard security compliance methodologies to PTA threat models and use them as a dynamic baseline for employing modern risk management system based on quantitative risk analysis.
Security analysts and solutions providers can build relevant subsets of vulnerabilities, threats, countermeasures and assets that best suit their customers and products. Read more on Integrating PTA with Security Products and Services. The following security entity libraries are now assembled and can be provided as part of our PTA Qualified Partner Program initiative:
For getting more information on the updated status of knowledge, expertise and professional experience of the PTA Qualified Partner members you are invited to visit the Practical Threat Analysis Qualified Partners Directory or directly contact Zeev Solomonik.
PTA is intended for the use of professional analysts and security consultants. The plug-in libraries mechanism provides PTA professionals with an open and flexible platform that can be easily adapted to the specific needs of their clients without our intervention or consent.
The preparation of a library is straightforward – all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA organizes the various entities in a standalone checklist that can be easily integrated into new or existing analysis projects using the Load from Library tool. You have full control on the nature and the content of the libraries - they can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards.
Most of the Practical Threat Analysis Free Program members, being security veterans, prefer to create their own proprietary checklists that reflect their expertise and serve as hallmarks of competitive advantage to their clients. This is in accordance with our guiding principle in developing PTA - we wish to provide consultants with a tool that can be tailored to their personal style and preferences and with which the fruits of their skill, knowledge and ingenuity in analyzing and securing systems will be best presented to the client.
We encourage members of the Practical Threat Analysis Free Program to publish the plug-in libraries they create and present their professional experience to people in the field as well as potential clients. Indeed, the goal of the free program initiative is to enhance the source base of security knowledge and risk assessment expertise which is packed in PTA libraries and make it available to the wide community of Information Security professionals and security analysts world-wide.
Professionals and independent researches that are members of the PTA Free Program and wish to expose their PTA based expertise and advance their opportunities in findings jobs and projects, are invited to take part in this initiative, make their threat models available to other professionals and share their Practical Threat Analysis Experience with the security community. For more information contact Menachem Lidor.
***