January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
系统建模 | 55
过于冗长的日志 用户错误
开发者错误
内部恶意人员
(
开发者
)
备用代码路径
不可信组件
内部恶意人员
配置错误
用户界面混乱
数据泄露
秘密通道
图 1-26:鱼骨图样本,第 3 步:次要原因
1.3 如何构建系统模型
创建系统模型的基本过程是从识别系统中的主要构造块开始的
—
可以是应用
程序、服务器、数据库或数据存储等。然后识别每个主要构建块之间的连接:
·
应用程序是否支持 API 或用户界面?
·
服务器是否有监听端口?如果是的话,使用的是什么协议?
·
什么在与数据库通信?与它通信的内容是什么?是仅读取数据,还是也可以
写入数据?
·
数据库如何控制访问?
保持跟进会话的线程,并遍历模型中此上下文层的每个实体,直到完成所有必
要的连接、接口、协议和数据流。
下一步,选择其中一个实体(通常是应用程序或服务器元素),其中可能包含你
需要发现的其他详细信息,以便识别出需要关注的区域并将其进一步细分。在
查看组成应用程序或服务器的子部分时,请着重关注与应用程序之间的入口点
和出口点以及这些信道的连接位置。
还应考虑各个子部分之间如何进行通信,包括通信信道、协议以及跨信道传递
的数据类型。你将要根据添加到模型中的形状类型添加任何相关信息(在本章
56 | 第
1
章
的后面,你将学到有关使用元数据注释模型的信息)。
在构建模型时,你将需要利用对安全原则和技术的判断和知识来收集信息以进
行威胁评估。理想情况下,你将在构建模型后立即执行此威胁评估。
在开始之前,请确定你可能需要的模型类型以及打算使用的每种模型类型的符
号集。例如,你可能决定使用 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.