zoukankan      html  css  js  c++  java
  • Microsoft P&P Delivers Threat Modeling Guidance for Web Apps

    Microsoft's Patterns & Practices team has released a new PAG document on threat modeling of web applications. This document includes a description of the threat modeling process and key concepts, the web application security frame, and templates for creating threat models with samples and walkthroughs.

    "This guidance presents the patterns & practices approach to creating threat models for Web applications. Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk."

    The introduction starts with a description of the threat modeling process and key concepts in creating a threat model.
    The five threat modeling steps are:
    • Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.
    • Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4.
    • Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats.
    • Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.
    • Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made.

    The web application security frame is a set of categories used to group common security vulnerabilities for use in reviews of potential threats and for planning countermeasures. Some of the categories include Input and Data Validation, Authentication, Cryptography, Parameter Manipulation, and Exception Management.

    The template given is a document template used to track the threat modeling process and record security objectives and describe the deployment scenario.

    Read Treat Modeling Web Applications
  • 相关阅读:
    转:IPhone之ASIFormDataRequest POST操作架构设计/ 处理网络超时问题
    LLDB和GDB比较
    为线程设置一个名字 [mythread setName:@"第一个子线程"];
    杀死一个线程
    ios 开发框架原始雏形 01
    iOS开发:设置应用程序图标和引导画面
    一个奇怪的现象 在GDB模式和LLDB 模式下 同样代码不同反应 AudioServicesCreateSystemSoundID
    iOS中GCD的魔力
    提升app 应用程序运行速度的几个常用方法
    IOS开发缓存机制之—本地缓存机制
  • 原文地址:https://www.cnblogs.com/jeet/p/158668.html
Copyright © 2011-2022 走看看