Microsoft P&P Delivers Threat Modeling Guidance for Web Apps
2005-05-19 09:20
399 查看
Microsoft's Patterns & Practices team has released a new PAG document on threat modeling of web applications. This document includes a description of the threat modeling process and key concepts, the web application security frame, and templates for creating threat models with samples and walkthroughs.
The introduction starts with a description of the threat modeling process and key concepts in creating a threat model.
The web application security frame is a set of categories used to group common security vulnerabilities for use in reviews of potential threats and for planning countermeasures. Some of the categories include Input and Data Validation, Authentication, Cryptography, Parameter Manipulation, and Exception Management.
The template given is a document template used to track the threat modeling process and record security objectives and describe the deployment scenario.
Read Treat Modeling Web Applications
"This guidance presents the patterns & practices approach to creating threat models for Web applications. Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk."
The introduction starts with a description of the threat modeling process and key concepts in creating a threat model.
The five threat modeling steps are:
Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.
Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4.
Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats.
Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.
Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made.
Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.
Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4.
Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats.
Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.
Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made.
The web application security frame is a set of categories used to group common security vulnerabilities for use in reviews of potential threats and for planning countermeasures. Some of the categories include Input and Data Validation, Authentication, Cryptography, Parameter Manipulation, and Exception Management.
The template given is a document template used to track the threat modeling process and record security objectives and describe the deployment scenario.
Read Treat Modeling Web Applications
相关文章推荐
- 微软的一篇ctr预估的论文:Web-Scale Bayesian Click-Through Rate Prediction for Sponsored Search Advertising in Microsoft’s Bing Search Engine。
- A XSS filter for Java EE web apps--转载
- sharepoint 2013 安装office web apps 2013 with sp1时提示没有安装microsoft.net framework 4.5
- Web Standards Update for Microsoft Visual Studio 2010 SP1
- Html5 学习利器 Web Standards Update for Microsoft Visual Studio 2010 SP1
- Office Web APP预览如何去掉顶部版权标志“Microsoft Office Web Apps”
- Using Wppackager to Package and Deploy Web Parts for Microsoft SharePoint Products and Technologies
- java.lang.IllegalArgumentException: Document base D:\apache-tomcat-pointfor\webapps\manager does not
- openoffice使用总结001---版本匹配问题unknown document format for file: E:\apache-tomcat-8.5.23\webapps\ZcnsDms\
- Build Web Apps for iPhone using Dashcode
- Best Practices for Web Apps
- [io PWA] Great libraries and tools for great Progressive Web Apps
- 10 Web Apps for Developers 为开发者提供的10款Web应用程序
- Building Web Parts for Microsoft SharePoint Products and Technologies
- Office Web Apps and Skype for Business Integration
- Rearchitect Your Web Applications for Microsoft ASP.NET 2.0
- patterns & practices Performance Testing Guidance for Web Applications
- Lightweight UI Test Automation for ASP.NET Web Apps
- JavaScript Web Resource Manager for Microsoft Dynamics CRM 2011 (MSCRM 2011 Web Resource管理工具)
- Skype For Business2015---Office Web Apps部署介绍