January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
193
附录
实例
我们相信,从构建系统模型、获取系统信息以及分析潜在漏洞和威胁的抽象知
识,你已经深入了解了威胁建模的过程。在这里,我们将引导你通过一个实例
来巩固你的理解。
由于这是一个静态文档,缺乏威胁建模通常需要的交互级别,因此以
下过程步骤被精简为“准备阶段”和“放弃结局”(这里没有破坏者!)。
通过这种方法,你应该了解如何根据选择的方法来练习威胁建模。
A.1 高级流程步骤
以下是本示例中将遵循的高级威胁建模步骤:
1. 识别正在考虑的系统中的对象。
2. 识别这些对象之间的数据流。
3. 识别感兴趣的资产。
4. 确定对资产的潜在影响。
5. 识别威胁。
6. 确定漏洞的可利用性。
在识别出威胁后,提交缺陷,制定缓解措施,并与系统开发团队协调,以将缓解
措施落实到位。在本示例中,我们将不讨论这些步骤,因为这是特定于组织的。
194 | 附录
A.2 接近你的第一个系统模型
建模的基本过程从识别系统中的主要构建块开始,这些构建块可以是应用程序、
服务器、数据库、数据存储等。然后确定每个主要构建块的连接:
·
应用程序是否支持 API 或用户界面?
·
服务器是否监听任何端口?如果是,通过什么协议?
·
什么与数据库通信?与数据库通信的内容是什么?它只读取数据,还是读取
和写入数据?
·
数据库如何控制访问?
继续跟踪对话线程并遍历系统模型中此上下文层的每个实体 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.