January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
134 | 第
4
章
度结构化的系统工程过程的公司和组织(当然还有学术界)已经发布了关于如何
应用
SysML 对系统进行威胁建模的案例研究,尽管在撰写本文时,显示威胁分
析自动化的案例研究还较为有限
注 18、注 19
。
UML 和 SysML 中可用的系统模型或抽象类型以及与之相关联的数据是威胁建
模领域应用的关键,尤其是通过代码进行威胁建模。两者都提供了指定对象和
交互的方法,以及有关这些对象和交互的参数。两者都使用 XML 作为数据交换
格式。XML 被设计成由计算机应用程序处理
,这使得它非常适合创建可以分析
威胁的系统模型。
图形和元数据分析
让我们考虑一下如图 4-2 所示的简单示例。
客户端 服务器
图 4-2:简单的客户端 / 服务器系统模型
这些注释与图 4-2 中的系统图一起出现:
·
客户端用 C 语言编写,并在端口 8080 上调用服务器,以验证客户端的用户
。
·
服务器检查内部数据库,如果客户端发送的信息与预期相符,服务器将向客
户端返回授权令牌。
戴上安全帽(如果你需要温习身份验证和其他适用缺陷,请参阅第 0 章
),并识
别此简单系统模型中的安全问题
注 20
。现在,想想你是如何得出结论的。你可能
查看了系统模型,看到了作为注释提供的信息,并确定了潜在的威胁。你对存
储在内存中的威胁信息数据库进行了模式分析。这是开发团队的安全顾问经常
做的事情,也是可扩展性的挑战之一
—
没有足够的“内存”和“计算能力”。
3
这种模式分析和推断对人脑来说很容易做到。只要有正确的知识,我们的大脑
注 18: Aleksandr ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.