January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
持续威胁建模 | 159
底且有效地识别系统中所有可能的威胁。
威胁模型会随着时间的推移而演变,知道这一点可以通过让不同的团队以不同
的速度并以相同的步骤进行交互来实现可扩展性。尽管拥有一种适用于所有团
队的方法很重要,但各团队不需要执着于寻找该方法。你可以让每个团队自由
发展,并根据需要进行干预(提供建议或专家支持)。
5.4 Autodesk 持续威胁建模方法
Autodesk 持续威胁建模(A-CTM)是持续威胁建模方法的真实示例。它采用了
CTM 的理论并将其应用于快速变化的组织中。根据观察到的结果,它随着时间
的推移进行了更正,并且方法论不断演进,其威胁模型也不断发展。
Autodesk GitHub 存储库的“ Continuous Threat Modeling Handbook”中详细介
绍了该方法。从设计到部署,可以在系统生命周期中的任何时间应用它。以下
是手册中的 Autodesk 持续威胁建模任务说明:
安全部门通常为开发团队提供的完整威胁建模服务可以看作一组很好的培训工
具。我们看到越来越需要扩展此过程,并已采取将知识转移给开发团队的方法。
本手册中概述的方法为团队提供了一种将安全性原则应用于威胁建模过程的结
构,使团队能够按照一种指导性的方法来质疑其安全状况,从而将其产品知识
转化为安全发现。这种方法的目的是在多次迭代中支持和增强开发团队的安全
能力,以使开发团队执行的威胁模型的质量不需要安全团队的参与。
就本章而言,我们可互换地使用 CTM、A-CTM 和 Autodesk CTM 来指代相同的
方法。总的来说,提及 CTM 本身就是指基本方法和哲学,而提及 A-CTM 就是
指 Autodesk 实施。
为了解决“到目前为止我们有什么”和“随着时间的推移如何变化”之间的二
分法,CTM ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.