January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
44 | 第
1
章
图 1-11:样本元素 A 和 B,元素 A 上带有启动器标记
但是,如果启动器标记放在 B 而不是 A 上,你将对该模型段的潜在威胁得出不同
的结论。这种设计将反映出另一种模式,在这种模式中,可能位于防火墙后面的
日志记录器客户端需要出站与微服务通信,而不是相反的方式(参见图 1-12 )。
图 1-12:样本元素 A 和 B,元素 B 上带有启动器标记
图 1-13 中所示的符号传统上用于划分信任边界:线后的任何元素(线的曲率决
定线后和线前的元素)相互信任。基本上,它用虚线标识了一个边界,在这个
边界上所有的实体都在同一级别上受到信任。例如,你可以信任在防火墙或 VPN
后运行的所有进程。这并不意味着流是自动未经验证的。相反,信任边界意味着
在该边界内操作的对象和实体在相同的信任级别上操作(例如,Ring 0 层 )。
当你希望在建模系统过程中假定系统组件之间存在对称信任时,应该使用此符
号。在具有非对称组件信任的系统中(也就是说,组件 A 可能信任组件 B,但
组件 B 不信任组件 A),信任边界标记将是不合适的,你应该在数据流上使用注
释,其中包含描述信任关系的信息。
图 1-13:用于绘制数据流图的信任边界符号
如图 1-14 所示,有时也会使用相同的符号表示对特定数据流的安全保护方案,例
如,通过使用 HTTPS 将数据流标记为具有机密性和完整性。该符号和注释的另一种
选择是为数据流本身提供注释,这可能会导致模型中有大量组件或数据流,很混乱。
系统建模 | 45
如果按传统意义使用( ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.