安全威胁建模综述_如何使用威胁建模分析应用程序的安全性

安全威胁建模综述

Digital attacks are more and more frequent, and the first step in securing your app is understanding the threats and how to counter them.

数字攻击越来越频繁，保护应用程序安全的第一步是了解威胁以及如何应对威胁。

Threat modeling is an approach that analyses the security of an application. It is a structured way to identify, quantify and mitigate the security risks in an application.

威胁建模是一种分析应用程序安全性的方法。 这是一种识别，量化和减轻应用程序中安全风险的结构化方法。

You are about to read a short briefing I wrote for myself some time ago, made up from information I’ve collected by dissecting several other articles. The idea behind this article is for it to act as a reminder and to be as short as possible but still hold relevant information.

您将要阅读我前一段时间为自己写的简短简介，该简介是由我通过剖析其他几篇文章收集到的信息组成的。 本文背后的想法是，它旨在提醒人们，并且尽可能简短，但仍保留相关信息。

---

---

So with that being said, let’s write the most common definition of threat modeling:

因此，让我们写一个最常见的威胁建模定义：

Threat modeling is a security process with goals to identify objectives  and vulnerabilities and then define countermeasures to prevent or lessen  the effects of threats to the system.

威胁建模是一个安全过程，其目标是识别目标和漏洞，然后定义对策以防止或减轻系统威胁的影响。

I’ve also read that threat modeling gives answers to these four questions:

我还阅读了威胁建模为以下四个问题提供了答案：

• What are we working on?

  我们正在做什么？

• What can go wrong?

  有什么问题吗？

• What are we going to do about it?

  我们要怎么做？

• Did we do a good job?

  我们做得好吗？

And I couldn’t agree more. That’s why threat modeling is composed of four parts, where each part answers one question:

我完全同意。 这就是为什么威胁建模由四个部分组成，每个部分都回答一个问题：

• Decomposing the application.

  分解应用程序。

• Determining the threats.

  确定威胁。

• Determine counter measures and mitigations (reducing the danger).

  确定应对措施和缓解措施(减少危险)。

• Rank threats.

  等级威胁。

分解应用程序 (Decomposing the application)

The goal of this step is to understand the application by decomposing it into parts and seeing how those parts interact with external entities. The way to do this is to gather information and documentation by mapping the application’s entry points, elements/assets and dependencies.

此步骤的目标是通过将应用程序分解为各个部分并了解这些部分如何与外部实体进行交互来了解应用程序。 这样做的方法是通过映射应用程序的入口点，元素/资产和依赖项来收集信息和文档。

• Decompose the application by drawing a diagram of various components in the  application. You can do this with Data Flow Diagrams.
  通过绘制应用程序中各个组件的图来分解应用程序。 您可以使用数据流程图进行此操作。
• Identifying  entry points — Software entry points may serve as entry points of an  attacker( login pages, search fields, HTTP requests etc.). It is essential that all entry points are identified and documented.
  识别入口点-软件入口点可以用作攻击者的入口点(登录页面，搜索字段，HTTP请求等)。 识别并记录所有入口点至关重要。
• Identifying  the elements/assets — that have a value, and therefore a risk of being  attacked. An asset can be in a form of data like a list of customer  information, it can also be in different forms: overall application  availability, organizations reputation.
  识别具有价值的元素/资产，因此有被攻击的风险。 资产可以采用诸如客户信息列表之类的数据形式，也可以采用不同形式：整体应用程序可用性，组织声誉。
• Dependencies  are parts of the app that lay outside of the application’s code. As  these items are outside of your control they may pose a threat if they are not properly maintained so identifying these dependencies will minimize the application’s overall risk.
  依赖关系是应用程序中位于应用程序代码之外的部分。 由于这些项目不在您的控制范围之内，如果维护不当，它们可能会构成威胁，因此识别这些依赖性将使应用程序的总体风险降至最低。

确定威胁 (Determining threats)

Determining threats can be done by threat categorization STRIDE. STRIDE is an  approach from the attackers perspective, and it is used to determine  threats. While there are other approaches such as ASF (Application  security framework — an approach from the defenders perspective to  determine countermeasures), in this article I will be focusing on  STRIDE.

确定威胁可以通过威胁分类“ STRIDE”来完成。 从攻击者的角度来看，STRIDE是一种方法，用于确定威胁。 尽管还有其他方法，例如ASF(应用程序安全框架-从防御者的角度确定对策的方法)，但在本文中，我将重点介绍STRIDE。

STRIDE categorization outlines six most common types of threats and their countermeasures.

STRIDE分类概述了六种最常见的威胁及其对策。

跨度 (STRIDE)

1. Spoofing identity — Impersonating someone or something else.

   小号 poofing身份-假冒他人或别的东西。

2. Tempering with data — Modifying some data on disk, network, memory.

   T，带数据empering -修改磁盘，网络，存储一些数据。

3. Reputation — Denial of proof of some action.

   [R eputation -证明某些行动的拒绝。

4. Information disclosure — Exposing information to someone not authorized to see it.

   我载文信息披露-揭露信息的人无权看到它。

5. Denial of service — Deny or degrade service to users.

   服务d enial -拒绝或降低服务给用户。

6. Elevation of privileges — Unauthorized gaining of more rights than originally intended.

   未经授权获得的更多的权利比原本打算-特权Ëlevation。

确定对策 (Determining countermeasures)

Every threat from STRIDE has a countermeasure.

STRIDE的每种威胁都有对策。

1. Authentication (for Spoofing) — Establishing a verifiable identity.
   身份验证(用于欺骗)—建立可验证的身份。
2. Data protection (for Tempering with data) — Maintaining data and ensuring consistency of data and methods that work on data.
   数据保护(用于数据回火)-维护数据并确保数据和处理数据的方法的一致性。
3. Confirmation (for Reputation) — Every action against the application must be logged.
   确认(用于信誉)—必须记录针对应用程序的每个操作。
4. Confidentiality ( for Information disclosure) — Restricting access to system and data.
   机密性(用于信息披露)—限制对系统和数据的访问。
5. Availability(for Dos) — Leverage levels of redundancies.
   可用性(针对Dos)—利用冗余级别。
6. Authorization (for Elevation of privileges) — Limiting access to data, actions and services.
   授权(用于特权提升)-限制对数据，操作和服务的访问。

等级威胁 (Rank Threats)

To  tackle the problem of ranking threats Microsoft devised a risk  assessment model called DREAD, a model which provides five rating  categories for each threat. In the beginning they used the rating from 1  to 10, ex. for every threat in each category a rating from 1 do 10  would be given.

为了解决威胁排名问题，Microsoft设计了一种称为DREAD的风险评估模型，该模型为每种威胁提供了五个评级类别。 最初，他们使用的评分是1到10(例如， 对于每个类别中的每个威胁，将给出1到10的评分。

However,  as different people selected very different numbers, there was a shift  away from DREAD ratings within high number ranges towards some simpler  classification with 4 different levels of risk:

但是，由于不同的人选择了截然不同的数字，因此从较高数字范围内的DREAD等级转向了具有4种不同风险等级的简单分类：

• 1: low
  1：低
• 2: medium
  2：中
• 3: high
  3：高
• 4: critical
  4：关键

Sum of all ratings for a given threat is used to prioritize it among other threats.

给定威胁的所有等级总和用于在其他威胁中确定其优先级。

The categories to rank for every threat are:

对每种威胁进行排名的类别为：

• Damage — how bad would an attack be?

  d豪悦国际-如何将坏的攻击呢？

• Reproducibility — how easy is it to reproduce the attack?

  [R eproducibility -有多容易重现攻击？

• Exploitability — how much work is it to launch the attack?

  可扩展性-发起攻击有多少工作？

• Affected users — how many people will be impacted?

  一个 ffected用户-有多少人会受到影响？

• Discoverability — how easy is it to discover the threat?

  d iscoverability -有多容易发现的威胁？

For  every threat in each category a rating from 1 do 4 is given and the sum  of all ratings for a given threat is used to prioritize it among other  threats.

对于每个类别中的每个威胁，给出的等级为1到4，并且将给定威胁的所有等级的总和用于在其他威胁中确定其优先级。

---

---

Up until now we decomposed the application, analysed functionalities,  determined possible risks and identified weak points that could be  exploited. Then we determined the countermeasures and used DREAD to rank  the risks. The only thing left is to act accordingly in solving those  risks.

到目前为止，我们对应用程序进行了分解，分析了功能，确定了可能的风险并确定了可以利用的弱点。 然后，我们确定了对策，并使用DREAD对风险进行了排名。 剩下的唯一事情就是在解决这些风险时采取相应的行动。

---

---

Thank you for reading! Check out more articles like this on my freeCodeCamp profile: https://www.freecodecamp.org/news/author/goran/ and other fun stuff I build on my GitHub page: https://github.com/GoranAviani

感谢您的阅读！ 在我的freeCodeCamp个人资料上查看更多类似的文章： https ://www.freecodecamp.org/news/author/goran/和我在GitHub页面上构建的其他有趣的东西： https : //github.com/GoranAviani

翻译自: https://www.freecodecamp.org/news/threat-modeling-goran-aviani/

安全威胁建模综述