The PTA plug-in libraries architecture enable preparation of security entities checklists that comply with information security standards such as ISO 17799 - BS 7799, ISO 27001/2, NERC/FERC, PCI DSS and many other security compliance standards. Security consultants and experts as well as security service providers can build up libraries with relevant subsets of vulnerabilities, threats, countermeasures and assets that best suit their risk assessment and security management conventions.
Domain-specific libraries contain predefined security entities such as assets, vulnerabilities, threats and countermeasures which are relevant to the risk assessment of a specific domain e.g. the MS Telecom Entity Library is a sample PTA library (thl file) that contains basic assets, vulnerabilities, threats and countermeasures relevant to telecom/billing/call accounting Web based solutions developed using Microsoft .Net platform. (The library is available for free download at the Sample PTA Risk Assessment Projects which is part of the Practical Threat Analysis Documents page).
Entity libraries can be customized and reused across risk assessment projects thus saving the burden of re-entering common entities when building application-specific threat models.
Predefined entity libraries, specific to different platforms, environments, application types and architectures can be easily prepared - for example libraries for Web applications, Linux/Microsoft, SQL/Oracle, banking, telecom and healthcare.
PTA libraries enable preparation of security compliance checklists that comply with information security standards such as ISO 17799 - BS 7799, ISO 27001/27002, PCI DSS 1.1 and others. Analyst and consultants can build up relevant subsets of vulnerabilities, threats, countermeasures and assets that best suit their organization's risk assessment conventions and audit methodologies. You are invited to visit the PTA Documents page for a list of the PTA freeware compliance libraries.
The concept of PTA security entities and threat model libraries is the best solution for transforming compliance knowledge and data into effective mitigation actions. Visit the PTA Professional Forum and read more on how to convert standard security compliance methodologies to PTA threat models and use them as a dynamic baseline for employing risk assessment models based on the PTA quantitative risk analysis methodology.
Security analysts and solutions providers can build relevant subsets of vulnerabilities, threats, countermeasures and assets that best suit the risk assessment needs of their customers and products. Read more on Integrating PTA with Security Products and Services. The following security entity libraries are now assembled and can be provided as part of our PTA for the Enterprise offering:
PTA is intended for the use of professional analysts and security consultants. The plug-in libraries mechanism provides PTA professionals with an open and flexible platform that can be easily adapted to the specific needs of their clients' risk assessment missions.
The preparation of a library is straightforward – all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA organizes the various entities in standalone checklists that can be easily integrated into new or existing threat analysis projects using the Load from Library tool. You have full control on the nature and the content of the libraries which can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards.
Professionals and independent researches that are members of the PTA Qualified Partner Program are willing to share their expertise and assist you in accomplishing your PTA risk assessment projects and in providing you with predefined lists of security entities customized to your specific needs. Being security veterans, they prefer to create their own proprietary checklists that reflect their expertise and serve as hallmarks of competitive advantage to their clients. This is in accordance with our guiding principle in developing PTA - we wish to provide consultants with a risk assessment tool that can be tailored to their personal style and preferences and with which the fruits of their skill, knowledge and ingenuity in analyzing and securing systems will be best presented to their clients.
Feel free to contact our partners directly or email Marina Radinovsky for more information.
We encourage members of the Practical Threat Analysis Free Program to publish and distribute the plug-in libraries they create and present their professional experience to people in the field as well as potential clients. Indeed, the goal of the free program initiative is to enhance the source base of security knowledge and risk assessment expertise which is packed in PTA libraries and make it available to the wide community of Information Security professionals and security analysts world-wide. For more information contact Menachem Lidor.
***