January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
100 | 第
3
章
对于每种威胁,暴露值乘以最大适用概率风险即可得出威胁风险值,它将业务
影响与威胁的技术执行联系起来。
Trike 的作者意识到这是一种粗略而幼稚的风险建模方法,但坚持认为它足以产
生一组表达能力。通过生成威胁及其相关值,你可以得出对这些威胁应采用的
缓解措施、应采用的缓解顺序以及清除或至少减少威胁的程度(请参见表 3-7)。
你可以在 Mozilla 的一位作者 Brenda Larcom 的演示文稿中看到关于 Trike 的有
趣概述。
表 3-7:Trike 评分模型
参数 分数 说明
可访问性 1 Trike 提出了一种可靠的威胁建模方法
,
其中一些基本概念是合理
的
,
但不幸的是
,
该方法的执行记录不清
,
讨论似乎已停止
。
可
用的工具提供了部分实现或复杂的工作流程
可扩展性 5 根据定义
,
可以像评估机构中所有模型任务一样重用该过程
。
如
果有执行评估的资源
,
则该过程应该完全可供它们使用
可教育性 3 通过将所有可能的威胁分为两类
(
权限提升和拒绝服务
),
Trike 鼓
励在制定规则以及检查行为者和资产时进行讨论
。
在安全负责人的
指导下
,
这种对话和深入探究应该会给团队带来更多的安全教育
可用性 2 方法论中仍然有很多悬而未决的问题
,
这使人进行了有趣的智力
练习
,
但实用价值有限
敏捷性 2 Trike 专注于建模时对系统的所有了解
。
因此
,
它不适合开发
(
或
至少设计
)
不完整且在建模时可以充分检查其功能和特性的系统
。
Trike 的作者声称这种方法 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.