January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
62
第 2 章
威胁建模的通用方法
如果你一直都做同样的事,就会得到同样的结果。
—
亨利·福特
威胁建模作为分析威胁的一种系统设计练习,遵循一致的做法,可以概括为几
个基本步骤。本章介绍威胁建模的一般流程,还提供有关在系统模型中查找的
内容以及由于威胁建模而可能永远无法发现的内容的信息。
2.1 基本步骤
本节展示的基本步骤涵盖了威胁建模的一般流程。经验丰富的建模师可以并行
地执行这些步骤,并且在大多数情况下可以自动化执行这些步骤。他们会在模
型形成时不断评估系统的状态,并且能够在模型达到预期的成熟度之前就提出
需要关注的领域。
这可能需要你花一些时间来达到那种舒适和熟悉的水平,但通过练习,这些步
骤将成为你的习惯。
1.
识别所考虑系统中的对象
识别在你要建模的系统中出现并与之关联的元素、数据存储、外部实体和
行为者,并收集特征或属性作为相关的元数据(在本章的后面,我们将提供
一些示例问题,你可以使用这些问题来简化元数据的收集)。注意每个对象
支持或提供的安全功能和控制,以及任何明显的缺陷(比如,在 HTTP 上
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.