zoukankan      html  css  js  c++  java
  • Automotive Security的一些资料和心得(1):Security Engineering

    陆续更新一些最近在Automotive Security方面的资料和心得。 


    1. Overview

    1.1. Software Engineering Process 

    PLC-Phases

    Introduction -> Concept Refinement -> Development -> Industrialization -> Product Validation -> Production Ramp-Up
    对应的SW-Phase: 

    Introduction -> Concept Refinement -> Prototype Planning & Specification -> Design & Realization -> Integration & Test ->Industrialization Support -> Product Validation Support -> Production Ramp-Up Support

    其中Prototype Planning & Specification -> Design & Realization -> Integration & Test 形成一个loop

     

    1.2. Secure Software Development Life Cycle

    推荐工具Microsoft Security Development Lifecycle

    - Training

    Security training

    - Requirements

    Security requirements analysis

    Security & Privacy risk assessment

    - Design

    Design requirements analysis

    Analyze attack possible

    Threat modeling

    - Implementation

    Use secure development tools

    Discard unsafe functions

    Run static code analysis

    - Testing

    - Release

    - Feedback

     

    1.3. 挑战

    - 不确定性。内部,外部环境。商业程序。技术。法律等。
    - 严格确保安全性会提高成本

     

    1.4. 已有的一些模型

    OWASP, OpenSAMM, BSIMM, ISO21827

     

     

    2. 需求

    Security Requirement详情可参考nist sp 800-53

    安全需求分析过程:

    - 分析整个系统。软件,硬件,数据,用户案例。

    - 确定安全目标。需要考虑股东利益,系统。

    - 理解针对安全目标的Threats。

    - 分类排序安全目标。

    - Refine安全目标。结合Threats。

     

    推荐模型:Microsoft Threat Modeling (STRIDE)

    STRIDE基本步骤:

    - Use case

    - Identify Elements

    - Identify Data Flow Diagrams (DFDs)

    - Add trust boundaries

    - System characterization

    - Threat matrix

    - Refinement

     

    Security Risk Analysis

    推荐模型DREAD, ETSI 102165-1 TVRA, Heavens-Model, EVITA-Model

    ISO 2700x

    3. 开发

    常见软件漏洞

    内存溢出, 整型溢出, Command injection

    - Common Weakness Enumeration (CWE)

    - Open Web Application Security Project (OWASP)

    - 24 Deadly Sins of Software Security

    Secure Coding标准和评估

    标准:

    - MISAR

    - CERT

    - DISA, STIGs

    评估

    - CWE

    - OWASP Top 10

    Static Code Analysis Tools

    Coverity, ECLAIR, Grammatech, Gimpel Lint, HP Fortify, Klocwork, Parasoft, QAC, Veracode


    版权所有,侵权必究,如需使用请与作者本人联系。

  • 相关阅读:
    CodeSmith中SchemaExplorer属性的介绍
    Bugku-INSERT INTO 注入
    XCTF-PHP2
    网络安全实验室CTF-注入关
    XSS挑战
    SQL注入
    CTFHub-技能树-命令执行
    CTFHub-技能树-文件上传
    史上最难的一道Java面试题 (分析篇)
    高可用的一些思考和理解
  • 原文地址:https://www.cnblogs.com/leonliuxue/p/4704900.html
Copyright © 2011-2022 走看看