January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
54 | 第
1
章
1.2.5 鱼骨图
鱼骨图也称为因果图或 Ishikawa 图,主要用于问题陈述的根本原因分析。图 1-24
显示了鱼骨图的示例。
与攻击树类似,鱼骨图可以帮助你识别任何给定区域的系统缺陷。这些图对于识
别过程中的陷阱或缺陷(例如,系统的供应链中发现的缺陷)也很有用,你可能
需要在其中分析组件交付或制造、配置管理或关键资产的保护。此建模过程还可
以帮助你了解导致漏洞被利用的事件链。知道了这些信息后,你就可以构造更好
的 DFD(知道要问的问题或要查找的数据),并识别新型威胁以及安全测试用例。
构造鱼骨图类似于创建攻击树,除了标识目标模型和实现目标的操作以外,你
还可以标识要建模的效果。本示例对数据暴露的原因进行建模。
首先,定义要建模的效果。图 1-24 展示了数据暴露对模型的影响。
数据暴露
图 1-24:鱼骨图样本,第 1 步:主要效果
然后,你要识别导致该结果的一组主要原因。我们识别了三个:过于冗长的日
志、秘密通道和用户错误,如图 1-25 所示。
过于冗长的日志 用户错误
数据泄露
秘密通道
图 1-25:鱼骨图样本,第 2 步:主要原因
最后,你识别驱动主要原因的一组原因(以此类推)。我们已经识别出导致用户
错误的主要原因是用户界面混乱。这个例子只识别了三种威胁,但你会想要创
建更大和更广泛的模型,这取决于你希望花费多少时间和精力以及结果的粒度。
图 1-26 显示了完整状态的鱼骨图,包含预期效果、主要原因和次要原因。
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.