January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
18 | 第
0
章
克服限制而做出的任何决定及其对安全性的影响也适合记录下来。部署也是如
此
—
威胁模型是一个参考第三方组件清单、保持最新版本、强化它们所需的
工作以及配置它们时所做的假设的好地方。网络端口及其协议清单等简单信息
不仅解释了数据在系统中的流动方式,而且还解释了有关主机身份验证、防火
墙配置等部署决策。所有这些类型的信息都非常适合威胁模型,如果你需要响
应合规审计和第三方审计,查找和提供相关详细信息将变得更加容易。
0.2 基本安全性原则
本章的其余部分简要概述了基本的安全性概念和术语,对于开发团队
和安全从业人员而言,熟悉这些概念和术语是至关重要的。如果你想
了解详细内容,请查看本章和本书中提供的参考资料。
熟悉这些原理和术语是在安全领域中进行学习的基础。
0.2.1 基本概念和术语
图 0-2 突出显示了系统安全中的关键概念。理解它们是理解为什么威胁建模对
于安全系统设计至关重要的关键。
数据
产生
价值
缺陷
导致
可利用的
漏洞
利用
威胁
增加
造成
行为者
诱发
风险
系统
具有
暴露
产生
包含
破坏
功能
图 0-2:安全术语的关系
一个系统包含的资产,有其用户依赖的功能,以及系统接收、存储、操作或传输
的数据。系统的功能可能存在瑕疵(即缺陷)。如果这些缺陷是可利用的,容易受
到外部影响,则称为漏洞,利用它们可能会使系统的操作和数据面临暴露的风险。
行为者(系统外部的个人或进程)可能会恶意利用漏洞。一些熟练的攻击者有能
引言 | 19
力改变条件,以创造机会利用漏洞进行攻击。行为者在这种情况下会创建威
胁事件,并通过该事件对系统产生特定的影响 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.