Skip to Content
威胁建模:安全设计中的风险识别和规避
book

威胁建模:安全设计中的风险识别和规避

by Izar Tarandach, Matthew J. Coles
January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
China Machine Press
Content preview from 威胁建模:安全设计中的风险识别和规避
164 |
5
1. 提供完整的系统图,包括部署。
2. 在系统概述 DFD(级别 0)中标记每个组件。
3. 使用箭头(指向目的 / 指向源头 / 双向)标记每个数据流的方向。
4. 标记每个箭头代表的主要行为。
5. 标记用于每个数据流的协议。
6. 标记信任边界和网络。
7. 在详细的 DFD(级别 1 )中标记主要数据类型及其在应用程序中的流动方
式(控制流)。
8. 描述使用系统的角色(用户、管理员、操作员等),并说明每个人的数据流 /
访问方式有何不同。
9. 标记身份验证过程的每个部分。
10. 标记授权过程的每个部分。
11. 用数字标记这些动作的顺序。
12. 标记“皇冠上的宝石”或最敏感的数据。如何处理这些数据?最关键的应
用程序功能是什么?
调查结果的格式应遵循以下固定的结构。
唯一标识符
这是在整个生命周期中识别发现的方式。
全面描述的攻击场景
很多时候,团队的不同成员会以多种方式解释调查结果。指定完整的攻击
方案可以使团队更轻松地了解每个人是否都在谈论同一个问题,或者单个
发现是否涉及多个问题。拥有足够的信息有助于确定发现的影响和可能性,
以及(如有必要)将发现分成几个较小的发现。
1
严重程度
严格来讲,CVSS 虽然不是风险评估系统,但却是一种用于建立调查结果
排名的可行方法(尽管有时不完善)。CVSS 提供了一种简单的方法来快速
定问题的严重性,从而可以对结果进行逐一比较
1
。“严重程度”并非
1: 详见第 3 章。
持续威胁建模 | 165
对所有用例来说都是最佳选择,但它易于使用且具有足够的描述性 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

AirBnbBlueOriginElectronic ArtsHomeDepotNasdaqRakutenTata Consultancy Services

QuotationMarkO’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
Julian F.
Head of Cybersecurity
QuotationMarkI wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.
Addison B.
Field Engineer
QuotationMarkI’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.
Amir M.
Data Platform Tech Lead
QuotationMarkI'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Mark W.
Embedded Software Engineer

You might also like

What Successful Brick-and-Mortar Retailers Get Right

What Successful Brick-and-Mortar Retailers Get Right

Rob Angell
What Successful Project Managers Do

What Successful Project Managers Do

W. Scott Cameron, Jeffrey S. Russell, Edward J. Hoffman, Alexander Laufer

Publisher Resources

ISBN: 9787111713692