January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
威胁建模的通用方法 | 63
公开 Web 服务器的元素,或者不需要身份验证就可以访问的数据库)。
2. 识别这些对象之间的流
识别步骤 1 中描述的对象之间的数据流动方式。然后记录这些流的元数据,
比如协议、数据分类和敏感性,以及数据流向。
3.
确定感兴趣的资产
详细说明由对象持有的或由步骤 2 中标识的流进行通信的相关或有趣资产。
请记住,资产可能包括数据
—
应用程序内部的数据(比如控制标志或配置
设置),或与应用程序功能相关的数据(例如,用户数据)。
4.
识别系统的缺陷和漏洞
根据系统对象和流的特征,理解步骤 3 中识别的资产的机密性、完整性、可
用性、隐私性和安全性可能受到的影响。特别是,你正在寻找违反第 0 章中
描述的安全原则的情况。例如,如果资产包含安全令牌或密钥,而该密钥在
某些条件下可能被不正确地访问(导致丧失机密性),那么你已经发现了一个
缺陷。如果这个缺陷是可利用的,那么你就有了一个可能造成威胁的漏洞。
5.
识别威胁
你需要将针对系统资产的漏洞与威胁行为者关联起来,以确定每个漏洞被
利用的可能性,这将给系统带来安全风险。
6
. 确定可利用性
最后,识别攻击者通过系统可能会对一个或多个资产造成影响的路径。换
句话说,识别攻击者如何利用步骤 4 中确定的缺陷。
2.2 你在系统模型中寻找的是什么
一旦你有了一个可以工作的模型,在任何完整性(或准确性)状态下,你都可以
开始检查模型是否存在漏洞和威胁。这就是从系统建模过渡到威胁建模的地方。此
时,你可能会问自己:“我到底应该在这些乱七八糟的框、行和文本中寻找什么呢? ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.