• STRIDE 和 DREAD


    STRIDE 和 DREAD

    背景

    STRIDE 和 DREAD 是最常用也是最好用的安全模型

    STRIDE 主要负责对安全风险分类
    DREAD 主要为安全风险评级

    STRIDE

    这个单词的来源是所有步骤的首字母

    [1]table

    Type Examples Security Control summary
    Spoofing Threat action aimed to illegally access and use another user's credentials, such as username and password. Authentication
    Tampering Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Integrity
    Repudiation Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations. Non-Repudiation
    Information disclosure Threat action to read a file that one was not granted access to, or to read data in transit. Confidentiality
    Denial of service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Availability
    Elevation of privilege Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Authorization

    DREAD

    这个单词的来源和上面STRIDE 一样
    但核心其实很容易明白
    主要包括了

    • Damage
    • Exploitability
    • Affected Users
    • Discoverability

    这里定义了 Thread

    For Damage: How big would the damage be if the attack succeeded?
    For Reproducibility: How easy is it to reproduce an attack to work?
    For Exploitability: How much time, effort, and expertise is needed to exploit the threat?
    For Affected Users: If a threat were exploited, what percentage of users would be affected?
    For Discoverability: How easy is it for an attacker to discover this threat?
    By referring to the college library website it is possible to document sample threats related to the use cases such as:
    

    Threat: For example that malicious user views confidential information of students, faculty members and librarians.
    风险:恶意的用户能够看见普通用户的机密信息。

    这里有如何计算这个数值(例子)
    Damage potential: Threat to reputation as well as financial and legal liability:8
    Reproducibility: Fully reproducible:10
    Exploitability: Require to be on the same subnet or have compromised a router:7
    Affected users: Affects all users:10
    Discoverability: Can be found out easily:10
    Overall DREAD score: (8+10+7+10+10) / 5 = 9
    
    In this case having 9 on a 10 point scale is certainly a high risk threat
    

    注释


    1. https://www.owasp.org/index.php/Application_Threat_Modeling#STRIDE ↩︎

  • 相关阅读:
    JVM精进之路
    Java8-java.time-常用API
    Java代码精进
    Java8——jdk——java.time包
    Java8——Optional
    Java8——Stream
    Java8——Lambda表达式
    Java高级-反射
    重新学习SpringMVC——补充
    LeetCode677. 键值映射(相关话题:Trie前缀树)
  • 原文地址:https://www.cnblogs.com/Qingluan/p/5172092.html
Copyright © 2020-2023  润新知