January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
148 | 第
4
章
·
风险摘要,风险详细信息为 JSON 格式。
·
自动布局的 DFD(用颜色表示资产、数据和通信链路的分类)。
·
数据资产风险图。
最后一个图表特别重要,因为对于每个数据资产,它表示在哪里处理和存储,
颜色表示每个数据资产和技术资产的风险状态。据我们所知,这是目前唯一提
供这种观点的工具。
生成的 PDF 报告的格式非常详细,包含将风险传递给管理层或开发者以减轻风
险所需的所有信息。对已识别的威胁进行了跨步分类,并对每个类别的风险进
行了影响分析。
我们期待看到更多这类工具,并参与其开发,并衷心建议你在它向公众开放后
看看它。
4.4 其他威胁建模工具概述
我们试图尽可能公正地介绍这些工具,但克服信息偏见可能很困难。任何错误、
遗漏或失实陈述均由我们全权负责。
4.4.1 IriusRisk 工具
实施的方法:基于调查问卷的威胁库
主要作用:IriusRisk 的免费 / 社区版(见图 4-6 )提供了与企业版相同的功能,
但对其可以生成的报告类型及其菜单中包含在系统中的元素有限制。免费版也不
包含 API,但它足以显示该工具的能力。图 4-6 显示了 IriusRisk 在简单浏览器 /
服务器系统模型上执行的分析结果示例。它的威胁库似乎至少基于 CAPEC,其中
提到了 CWE、Web 应用程序安全协议(WASC)、 OWASP Top Ten、OWASP 应用
程序安全验证标准(ASVS)和 OWASP 移动应用程序安全验证标准(MASVS)。
及时性:不断更新
获取来源:https://oreil.ly/TzjrQ
自动化威胁建模 | 149
图 4-6:IriusRisk 实时分析结果
IriusRisk 报告中的一个典型发现包含被识别的组件、缺陷类型(“访问敏感数据”)、
威胁的简短解释(
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.