PTA Technologies - Practical Threat Analysis, Threat Modeling and Risk Assessment for Software Systems

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <h1 align="center"><font face="Verdana" size="1">Computer Security Resources</font></h1> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.securitydocs.com/">SecurityDocs.com</a> provide updated reports on software security issues as well as hundreds of articles, white papers and research reports for security professionals covering topics such as firewalls, viruses, intrusion detection and other security topics. Read our latest article on <a target="_blank" href="http://www.securitydocs.com/library/2848">Practical Threat Analysis for the Software Industry</a>.</font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.sentinels.nl">Sentinels research program</a> is a Dutch research program on security in ICT, networks and information systems; it aims to make all kinds of computer systems and computer networks more secure. This includes standard systems such as PCs and corporate networks, but also hand held devices and embedded systems as well as wireless and on-chip networks. At present most security solutions are only partial solutions, therefore, Sentinels aims to contribute to a comprehensive framework for secure systems engineering.</font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.cerias.purdue.edu">CERIAS</a> (Center for Education and Research in Information Assurance and Security) is one of the world's leading centers for research and education in areas of information security crucial to the protection of critical computing infrastructure. The CERIAS Incident Response Database is a web-based system intended to be used while responding to incidents. It enhances preparedness by providing host, policy, service, and vulnerability management capabilities.</font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.noticebored.com">NoticeBored</a> is an innovative information security awareness service delivering fresh awareness materials every month on topics such as IT change management, security awareness program, applying critical security patches, information security culture, IT governance, <a target="_blank" href="http://www.noticebored.com/html/risk.html">Risk Analysis Methods and Tools</a> and much more.  </font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.Secure-Software-Engineering.com">Secure Software Engineering is NOT Software Security Engineering</a> - Software projects fight with significant security defects originated from the complex interplay of internal and external software developers, software managers, customers, and time and budget pressure. Read how (S²e) facilitates security transfer to the software engineering process, and helps to combat security relevant defects.  </font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.geocities.com/amz/index.html">ROISI</a>  will help the information security practitioner assess the costs required to implement information security in an organization and the returns that are obtained from such an investment. The research is part of an MBA dissertation by Adrian Mizzi and describes the Organizational Information Security Model for Return On Information Security Investment. </font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.computerworld.com/securitytopics/security/story/0,10801,83207,00.html">Calculating security ROI is tricky business</a>  by Marcia J. Wilson is an excellent article which explains why information security departments can't sell security initiatives based on fear anymore. They have to come up with the same justifications as any other business unit, complete with the dreaded metrics, or hard financial facts. </font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.linuxjournal.com/article/5567">Practical Threat Analysis and Risk Management</a> - <b>"Threat analysis won't make you sleep any better at night, but it will help ensure that the right things keep you awake"</b> is a quote from <a target="_blank" href="http://www.linuxjournal.com/user/800787">Mick Bauer</a>'s excellent article (Linux Journal 2001) that presented pioneer ideas on how to quantify threats and evaluate software risks in a practical manner. In the proposed method, the analyst defines, for each asset and vulnerability pair, the estimated cost of replacing or restoring the damaged asset (its single loss expectancy) and the vulnerability's expected annual rate of occurrence. The annual vulnerability loss expectancy is calculated by multiplying the two factors. </font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://www.schneier.com/paper-attacktrees-ddj-ft.html"> Attack Trees</a> is an article by <a target="_blank" href="http://www.schneier.com/">Bruce Schneier</a> (1999) describing a formal methodology for analyzing the security of systems and subsystems. Schneier presented his approach for thinking of software security, capturing and reusing expertise and responding to changes in security. According to Schneier, security should be viewed as a process and attack trees form the basis for understanding this process. </font></p> <h1 align="center"><font face="Verdana" size="1">Blogs and Lists on Information Security</font></h1><p align="left"> <font face="Verdana" size="1">*   <a target="_blank" href="http://www.secguru.com">SecGuru</a> is a vivid mailing list, where you can discuss about hacking, cracking, security, networks, programming and various tools of the trade. This list is all about helping peers with their questions regarding IT issues and getting answers to your own. By helping others and suggesting them solutions, you will definitely hone your current skills and by reading what others have suggested you will learn new tricks.</font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://osbalaji.blogspot.com/">Resonance</a> by O.S. Balaji on Business Process, Information Security, Quality and Knowledge Management.</font></p> <p align="left"><font face="Verdana" size="1">*   <a target="_blank" href="http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/">Security Liability Laws are NOT the Answer</a> read this excellent comment from Gregory Haase on <a target="_blank" href="http://www.schneier.com/blog/archives/2004/11/computer_securi.html"> Bruce Schneier on Security</a> article "...first of all, it makes the premise that good security is something that comes after the fact. His argument supports the “build it first, put security on later” mentality. This is a very dangerous premise, and I don’t believe any good can come from it. Sadly, it does seem to be prevalent in the industry. As an industry, we need to focus more on security at all points of development. The programmer needs to have it in the back of his head at all times. It takes a lot more time to do something incorrectly and go back and fix it, then it does to do it right the first time."</font></p> <h1 align="center"> </h1> <h1 align="center"><font face="Verdana" size="1">Software Security Documents</font></h1><p align="left"> <font face="Verdana" size="1">*   This Information Assurance Technology Analysis Center (IATAC) <a target="_blank" href="http://people.cis.ksu.edu/~hatcliff/890-High-Assurance/Reading/IATAC-SOAR-Software-Security-Assurance.pdf"> State-of-the-Art Report (SOAR)</a> of July 2007, describes the current “state-of-the-art” in software security assurance. It provides an overview of the current stare of the environment in which defense and national security software must operate then surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. The SOAR also describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying software that can, with justifiable degree of confidence, be said to be secure. Finally, the SOAR presents observations about noteworthy trends in software security assurance as a discipline. </font></p><p align="left"> <font face="Verdana" size="1">*   <a target="_blank" href="Documents/Security_in_the_Software_Lifecycle_DRAFT_v1.2.pdf">Security in the Software Lifecycle</a> is the most comprehensive and updated (Draft version 1.2 August, 2006) document on how to make application development processes – and the software produced by them – more secure. </font></p> <p align="left"><font face="Verdana" size="1">"...The main goal of Security in the Software Lifecycle is to arm developers, project managers, and testers with the information they need to start improving the security of the practices and processes they use to produce software. The document describes a number of practices and tools that have been used in the “real world” to create software that contains fewer defects that can be targeted as vulnerabilities. In addition, while it is not always their explicit objective, many of the practices and technologies described in Security in the Software Lifecycle should coincidentally help in the production of software of higher quality and reliability.</font></p> <p align="left"><font face="Verdana" size="1">Unlike other works published on secure software engineering, secure programming, secure coding, application security, and similar topics, Security in the Software Lifecycle does not set out to recommend a specific approach to the software security problem. Where it does resemble such works is in the more detailed technical information... the scope of the information provided is probably broader than that to be found in other published works with similar content. Also unlike other such works, Security in the Software Lifecycle discusses a number of lifecycle process models, development methodologies, “best” (or “sound”) practices supporting tools that have been shown in “real world” software development projects, across government, industry, and academia in the U.S. and abroad, to reduce the number of exploitable software defects that can be targeted as vulnerabilities to compromise the software itself, the data it processes, or the computing and networking resources on which it depends..." </font></p> <p align="left"><font face="Verdana" size="1">Joe Jarzombek, PMP Director for Software Assurance <br> National Cyber Security Division <br> US Department of Homeland Security </font></p> <p align="left"><font face="Verdana" size="1">Version 1.1 is available <a target="_blank" href="http://standards.computer.org/sesc/s2esc_excom/minutes/2006-08/DHS%20Lifecycle_DraftV11-072806.doc"> here</a>.</font></p> <p align="left"> </p> <p align="center"> <font face="Verdana" size="1"> ***</font></p> <p align="left"> </p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTA.htm"><b>Threat Analysis Methodology in-depth</b></a>  -   <a target="content" href="DocumentsFrameset.htm"><b>Practical Threat Modeling Documents</b></a><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></p> </body>