Produktbild: Threat Modeling

Threat Modeling Designing for Security

69,99 €

inkl. gesetzl. MwSt., Versandkostenfrei

Lieferung nach Hause

Beschreibung

Produktdetails

Verkaufsrang

44849

Einband

Taschenbuch

Erscheinungsdatum

17.02.2014

Verlag

John Wiley & Sons

Seitenzahl

624

Maße (L/B/H)

23/18,7/3,7 cm

Gewicht

1140 g

Farbe

Lichtgrau / Kaffee

Auflage

1. Auflage

Sprache

Englisch

ISBN

978-1-118-80999-0

Beschreibung

Produktdetails

Verkaufsrang

44849

Einband

Taschenbuch

Erscheinungsdatum

17.02.2014

Verlag

John Wiley & Sons

Seitenzahl

624

Maße (L/B/H)

23/18,7/3,7 cm

Gewicht

1140 g

Farbe

Lichtgrau / Kaffee

Auflage

1. Auflage

Sprache

Englisch

ISBN

978-1-118-80999-0

Herstelleradresse

Libri GmbH
Europaallee 1
36244 Bad Hersfeld
DE

Email: GPSR Kontakt

Noch keine Bewertungen vorhanden

Verfassen Sie die erste Bewertung zu diesem Artikel

Helfen Sie anderen Kundinnen und Kunden durch Ihre Meinung.

Kundinnen und Kunden meinen

Bewertungen (0)

Die Leseprobe wird geladen.
  • Produktbild: Threat Modeling
  • Introduction xxi

    Part I Getting Started 1

    Chapter 1 Dive In and Threat Model! 3

    Learning to Threat Model 4

    Threat Modeling on Your Own 26

    Checklists for Diving In and Threat Modeling 27

    Summary 28

    Chapter 2 Strategies for Threat Modeling 29

    "What's Your Threat Model?" 30

    Brainstorming Your Threats 31

    Structured Approaches to Threat Modeling 34

    Models of Software 43

    Summary 56

    Part II Finding Threats 59

    Chapter 3 STRIDE 61

    Understanding STRIDE and Why It's Useful 62

    Spoofing Threats 64

    Tampering Threats 67

    Repudiation Threats 68

    Information Disclosure Threats 70

    Denial-of-Service Threats 72

    Elevation of Privilege Threats 73

    Extended Example: STRIDE Threats against Acme-DB 74

    STRIDE Variants 78

    Exit Criteria 85

    Summary 85

    Chapter 4 Attack Trees 87

    Working with Attack Trees 87

    Representing a Tree 91

    Example Attack Tree 94

    Real Attack Trees 96

    Perspective on Attack Trees 98

    Summary 100

    Chapter 5 Attack Libraries 101

    Properties of Attack Libraries 101

    CAPEC 104

    OWASP Top Ten 108

    Summary 108

    Chapter 6 Privacy Tools 111

    Solove's Taxonomy of Privacy 112

    Privacy Considerations for Internet Protocols 114

    Privacy Impact Assessments (PIA) 114

    The Nymity Slider and the Privacy Ratchet 115

    Contextual Integrity 117

    LINDDUN 120

    Summary 121

    Part III Managing and Addressing Threats 123

    Chapter 7 Processing and Managing Threats 125

    Starting the Threat Modeling Project 126

    Digging Deeper into Mitigations 130

    Tracking with Tables and Lists 133

    Scenario-Specifi c Elements of Threat Modeling 138

    Summary 143

    Chapter 8 Defensive Tactics and Technologies 145

    Tactics and Technologies for Mitigating Threats 145

    Addressing Threats with Patterns 159

    Mitigating Privacy Threats 160

    Summary 164

    Chapter 9 Trade-Off s When Addressing Threats 167

    Classic Strategies for Risk Management 168

    Selecting Mitigations for Risk Management 170

    Threat-Specific Prioritization Approaches 178

    Mitigation via Risk Acceptance 184

    Arms Races in Mitigation Strategies 185

    Summary 186

    Chapter 10 Validating That Threats Are Addressed 189

    Testing Threat Mitigations 190

    Checking Code You Acquire 192

    QA'ing Threat Modeling 195

    Process Aspects of Addressing Threats 197

    Tables and Lists 198

    Summary 202

    Chapter 11 Threat Modeling Tools 203

    Generally Useful Tools 204

    Open-Source Tools 206

    Commercial Tools 208

    Tools That Don't Exist Yet 213

    Summary 213

    Part IV Threat Modeling in Technologies and Tricky Areas 215

    Chapter 12 Requirements Cookbook 217

    Why a "Cookbook"? 218

    The Interplay of Requirements, Threats, and Mitigations 219

    Business Requirements 220

    Prevent/Detect/Respond as a Frame for Requirements 221

    People/Process/Technology as a Frame for Requirements 227

    Development Requirements vs. Acquisition Requirements 228

    Compliance-Driven Requirements 229

    Privacy Requirements 231

    The STRIDE Requirements 234

    Non-Requirements 240

    Summary 242

    Chapter 13 Web and Cloud Threats 243

    Web Threats 243

    Cloud Tenant Threats 246

    Cloud Provider Threats 249

    Mobile Threats 250

    Summary 251

    Chapter 14 Accounts and Identity 253

    Account Life Cycles 254

    Authentication 259

    Account Recovery 271

    Names, IDs, and SSNs 282

    Summary 290

    Chapter 15 Human Factors and Usability 293

    Models of People 294

    Models of Software Scenarios 304

    Threat Elicitation Techniques 311

    Tools and Techniques for Addressing Human Factors 316

    User Interface Tools and Techniques 322

    Testing for Human Factors 327

    Perspective on Usability and Ceremonies 329

    Summary 331

    Chapter 16 Threats to Cryptosystems 333

    Cryptographic Primitives 334

    Classic Threat Actors 341

    Attacks against Cryptosystems 342

    Building with Crypto 346

    Things to Remember about Crypto 348

    Secret Systems: Kerckhoffs and His Principles 349

    Summary 351

    Part V Taking It to the Next Level 353

    Chapter 17 Bringing Threat Modeling to Your Organization 355

    How To Introduce Threat Modeling 356

    Who Does What? 359

    Threat Modeling within a Development Life Cycle 367

    Overcoming Objections to Threat Modeling 379

    Summary 383

    Chapter 18 Experimental Approaches 385

    Looking in the Seams 386

    Operational Threat Models 387

    The "Broad Street" Taxonomy 392

    Adversarial Machine Learning 398

    Threat Modeling a Business 399

    Threats to Threat Modeling Approaches 400

    How to Experiment 404

    Summary 405

    Chapter 19 Architecting for Success 407

    Understanding Flow 407

    Knowing the Participants 413

    Boundary Objects 414

    The Best Is the Enemy of the Good 415

    Closing Perspectives 416

    Summary 419

    Now Threat Model 420

    Appendix A Helpful Tools 421

    Common Answers to "What's Your Threat Model?" 421

    Appendix B Threat Trees 429

    STRIDE Threat Trees 430

    Other Threat Trees 470

    Appendix C Attacker Lists 477

    Attacker Lists 478

    Appendix D Elevation of Privilege: The Cards 501

    Spoofing 501

    Tampering 503

    Repudiation 504

    Information Disclosure 506

    Denial of Service 507

    Elevation of Privilege (EoP) 508

    Appendix E Case Studies 511

    The Acme Database 512

    Acme's Operational Network 519

    Phones and One-Time Token Authenticators 525

    Sample for You to Model 528

    Glossary 533

    Bibliography 543

    Index 567