January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
威胁建模方法论 | 105
2. 系统 / 公司:对声誉有负面影响。
主要作恶者
内部人员。
基本流程
1. 作恶者可以访问社交网络数据库。
2. 作恶者把数据泄露给第三方。
触发器
一个恶意的行为者,且总是有可能出现。
先决条件
1. 作恶者可以篡改隐私策略,使之与许可条款不一致。
2. 没有正确地管理策略(没有根据用户的请求更新)。
预防关键点
1. 设计系统符合隐私和数据保护的法律准则,并保持内部策略与传达给用
户的策略一致。
2. 法律执行:只要用户的个人数据在未经同意的情况下被处理,用户就可
以起诉社交网络提供商。
3. 员工合同:与第三方分享信息的员工将受到处罚(解雇、罚款等)。
预防保证
法律的实施将降低内部人士泄露信息的威胁,但仍有可能侵犯用户的隐私。
注意,前提条件直接来自威胁树。一旦你描述了一个误用案例,就可以以预防
关键点和预防保证的形式从中提取需求。LINDDUN 把缓解威胁的方法转向使用
隐私增强技术 (PET) 作为解决方案,而不是纯粹的法律或合同手段。LINDDUN
的论文在列举 PET 解决方案并将它们映射到隐私属性方面做得很好。我们在这
里没有复制那个映射,如果你决定使用它,请阅读这篇论文以熟悉该方法。考
虑到 LINDDUN 与 STRIDE-per-Element 相似,重新应用我们的测量参数是不合
逻辑的,因为它们将等于 STRIDE 的参数。另外,LINDDUN 是一个很好的例
106 | 第
3
章
子,说明了如何将威胁建模的过程应用到安全以外的领域(例如,C、I 和 A),
并生成类似有价值的结果。 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.