zoukankan      html  css  js  c++  java
  • STRIDE 和 DREAD

    STRIDE 和 DREAD

    背景

    STRIDE 和 DREAD 是最常用也是最好用的安全模型

    STRIDE 主要负责对安全风险分类
    DREAD 主要为安全风险评级

    STRIDE

    这个单词的来源是所有步骤的首字母

    [1]table

    Type Examples Security Control summary
    Spoofing Threat action aimed to illegally access and use another user's credentials, such as username and password. Authentication
    Tampering Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Integrity
    Repudiation Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations. Non-Repudiation
    Information disclosure Threat action to read a file that one was not granted access to, or to read data in transit. Confidentiality
    Denial of service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Availability
    Elevation of privilege Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Authorization

    DREAD

    这个单词的来源和上面STRIDE 一样
    但核心其实很容易明白
    主要包括了

    • Damage
    • Exploitability
    • Affected Users
    • Discoverability

    这里定义了 Thread

    For Damage: How big would the damage be if the attack succeeded?
    For Reproducibility: How easy is it to reproduce an attack to work?
    For Exploitability: How much time, effort, and expertise is needed to exploit the threat?
    For Affected Users: If a threat were exploited, what percentage of users would be affected?
    For Discoverability: How easy is it for an attacker to discover this threat?
    By referring to the college library website it is possible to document sample threats related to the use cases such as:
    

    Threat: For example that malicious user views confidential information of students, faculty members and librarians.
    风险:恶意的用户能够看见普通用户的机密信息。

    这里有如何计算这个数值(例子)
    Damage potential: Threat to reputation as well as financial and legal liability:8
    Reproducibility: Fully reproducible:10
    Exploitability: Require to be on the same subnet or have compromised a router:7
    Affected users: Affects all users:10
    Discoverability: Can be found out easily:10
    Overall DREAD score: (8+10+7+10+10) / 5 = 9
    
    In this case having 9 on a 10 point scale is certainly a high risk threat
    

    注释


    1. https://www.owasp.org/index.php/Application_Threat_Modeling#STRIDE ↩︎

  • 相关阅读:
    扩展方法使用
    mac学习笔记:brew 安装nginx
    Mac SVN 命令行
    mac终端命令大全
    mac学习笔记之:使用brew安装软件
    Linux学习笔记之更新yum安装最新Nginx+Php
    pyenv快速入门
    pycharm配置robotframework环境(mac版)
    macOS的zsh和bash切换
    robotframework windows环境和mac环境安装教程
  • 原文地址:https://www.cnblogs.com/Qingluan/p/5172092.html
Copyright © 2011-2022 走看看