{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全開發生命週期(SDL)是一個幫助開發人員構建更安全的軟件和解決安全合規要求的同時降低開發成本的軟件開發過程。安全應用從安全設計開始,軟件的安全問題很大一部分是由於不安全的設計而引入的,微軟用多年的經驗總結出了安全開發生命週期(SDL),並提出了攻擊面最小化、STRIDE威脅建模等多種方法輔助安全人員對軟件進行安全設計。安全設計對於軟件安全的重要性尤爲可見。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"安全開發生命週期(SDL)是什麼?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"SDL介紹"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全開發生命週期(SDL)即Security Development Lifecycle,是一個幫助開發人員構建更安全的軟件和解決安全合規要求的同時降低開發成本的軟件開發過程。 自2004年起,微軟將SDL作爲全公司的計劃和強制政策,SDL的核心理念就是將安全考慮集成在軟件開發的每一個階段:需求分析、設計、編碼、測試和維護。從需求、設計到發佈產品的每一個階段每都增加了相應的安全活動,以減少軟件中漏洞的數量並將安全缺陷降低到最小程度。安全開發生命週期 (SDL)是側重於軟件開發的安全保證過程,旨在開發出安全的軟件應用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"SDL安全活動"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說,SDL是微軟提出的從安全角度指導軟件開發過程的管理模式,在傳統軟件開發生命週期 (SDLC) 的各個階段增加了一些必要的安全活動,軟件開發的不同階段所執行的安全活動也不同,每個活動就算單獨執行也都能對軟件安全起到一定作用。當然缺少特定的安全活動也會對軟件的安全性帶來影響。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/68\/a0\/688197a77a0c9fd0d12dfc074ce807a0.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"微軟SDL安全活動簡圖"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我曾今有幸參加過微軟安全專家Michael Howard及Taha Mir關於SDL及威脅建模的培訓,作爲《軟件安全開發生命週期》一書的作者,Michael Howard不只一次強調,安全培訓是SDL最核心的概念,軟件是由設計人員設計,代碼是有開發人員編寫。同樣,大部分軟件本身的安全漏洞也是由設計及編碼人員引入,所以對軟件開發過程中的技術人員進行安全培訓這點至關重要。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到在整個SDL週期中,除了安全培訓這項活動,還在軟件發佈後增加了安全應急響應的相關活動,而目前國內大多數公司目前已經基本上具備了安全應急響應的活動和職能部門,同時包括安全編碼規範、代碼審計、滲透測試等安全活動也都已經基本具備甚至個別企業已經比較成熟。但在軟件設計階段的安全活動則相對較少,據我瞭解僅個別大型跨國企業才擁有安全設計等相關的安全活動。而根據微軟多年的實踐和經驗,軟件的安全問題很大一部分是由於不安全的設計而引入的。在設計階段造成的安全缺陷在後期修復的成本和時間都相對較高。STRIDE威脅建模的創始人之一Taha Mir曾說過“safer applications begin with secure design”,即安全應用從安全設計開始,相應的微軟SDL也提出了若干核心的安全設計原則,並提出瞭如攻擊面最小化、STRIDE威脅建模等多種方法輔助安全人員對軟件進行安全設計,本文就針對當前國內企業在軟件設計階段安全活動發展相對欠缺的安全設計進行探討。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"安全設計核心原則"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SDL安全設計核心原則:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Attack Surface Reduction:攻擊面最小化"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Basic Privacy: 基本隱私"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Least Privilege: 權限最小化"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Secure Defaults: 默認安全"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Defense in Depth:縱深防禦"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Threat Modeling:威脅建模"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"攻擊面最小化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊面是指程序任何能被用戶或者其它程序所訪問到的部分,這些暴露給用戶的地方往往也是最可能被惡意攻擊者攻擊的地方。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊面最小化即是指儘量減少暴露惡意用戶可能發現並試圖利用的攻擊面數量。軟件產品的受攻擊面是一個混合體,不僅包括代碼、接口、服務,也包括對所有用戶提供服務的協議。尤其是那些未被驗證或者遠程的用戶都可以訪問到的協議,安全人員在攻擊面最小化時首先要對攻擊面進行分析,攻擊面分析就是枚舉所有訪問入庫、接口、協議一劑可執行代碼的過程,從高層次來說,攻擊面分析着重於:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"降低默認執行的代碼量"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制可訪問到代碼的人員範圍"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限定可訪問到代碼的人員身份"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"降低代碼執行所需權限"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"常見的攻擊面分析技巧如下表:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/95\/b0\/95c8d4dfd93600470ae5b07513707bb0.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"攻擊面分析常用技巧"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊面最小化在微軟的應用實踐示例:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/df\/08\/df975e71071f06f5280577df67e4a908.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"攻擊面最小化微軟實踐示例"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基本隱私"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶使用軟件時無可避免個人信息被收集、使用甚至分發,企業則有責任和義務建立保護個人信息的保護措施,抵禦敵對攻擊行爲,確保用戶基本隱私的安全性。隱私安全是建立可信任應用程序的關鍵因素。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在軟件設計時考慮用戶基本隱私的必要性及意義有:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"履行法律規定和義務"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"增加客戶的信賴"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"防止堵塞部署"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於特殊的軟件或者全球性的產品,設計人員需要明確軟件的行爲及針對人羣。尤其要考慮當地國家的法律法規,如美國兒童網路隱私保護法COPPA(Children’s Online Privacy Protection Act)等,企業在開發產品、服務時有必要制定明確的隱私準則,對獲取、記錄用戶隱私的相關產品需有明確的要求和指導建議。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"只收集程序必須用到的隱私數據,並明確告知用戶並徵得用戶同意;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟對於用戶隱私數據如密碼、口令等均需要加密存儲,最低要求是sha256+salt,對於更高要求的則使用PBKDF2算法加密存儲。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"權限最小化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果一個應用程序或網站被攻擊、破壞,權限最小化機制能夠有效的將潛在損害最小化。常見的權限最小化實踐如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"普通管理員\/系統管理員等角色管理"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"文件只讀權限\/文件訪問權限等訪問控制"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"進程\/服務以所需最小用戶權限運行"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在進行軟件設計時,安全設計人員可以評估應用程序的行爲及功能所需的最低限度權限及訪問級別,從而合理分配相應的權限。如果程序特定情況必須要較高級別的權限,也可以考慮特權賦予及釋放的機制。即便程序遭到攻擊,也可以將損失降到最低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Windows系統中網絡進程、本地服務、用戶進程的權限都較低且互相獨立,分別爲NETWORK SERVICE、LOCAL SERVICE、user權限,只有核心的重要進程實用SYSTEM權限;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最新版本的Office程序打開不可信來源的文檔時,默認時不可編輯的,同時也是默認不可執行代碼的,即使存在緩衝區溢出漏洞,也不會執行shellcode等惡意代碼。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"默認安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"默認安全配置在客戶熟悉安全配置選項之前不僅有利於更好的幫助客戶掌握安全配置經驗,同時也可以確保應用程序初始狀態下處於較安全狀態。而客戶可根據實際使用情況而決定應用程序安全與隱私的等級水平是否降低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Win 7之後的Windows操作系統中,DEP(數據執行保護)默認是開啓的。用戶可設置選項改變DEP的狀態;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Win 10默認啓用安全防護軟件Windows Defender,用戶可選擇關閉。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"縱深防禦"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與默認安全一樣,縱深防禦也是設計安全方案時的重要指導思想。縱深防禦包含兩層含義:首先,要在各個不同層面、不同方面實施安全方案,避免出現疏漏,不同安全方案之間需要相互配合,構成一個整體;其次,要在正確的地方做正確的事情,即:在解決根本問題的地方實施針對性的安全方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"縱深防禦並不是同一個安全方案要做兩遍或多遍,而是要從不同的層面、不同的角度對系統做出整體的解決方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對XSS的防護,除了要對用戶輸入的特殊符號進行過濾,還要區分是否是富文本進而進行相應編碼操作,在輸入時過濾的同時在輸出時也進行過濾操作;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即使做了十足的過濾、編碼等安全防護,爲了更一步確保緩解XSS攻擊,Web站點也可以對Cookie啓用HTTP-Only屬性,確保即使發生XSS攻擊,也可以阻止通過腳本訪問Cookie的操作。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"威脅建模"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"威脅建模是一種分析應用程序威脅的過程和方法。這裏的威脅是指惡意用戶可能會試圖利用以破壞系統,和我們常說的漏洞並不相同。漏洞是一個特定的可以被利用的威脅,如緩衝區溢出、sql注入等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲SDL設計階段的一部分安全活動,威脅建模允許安全設計人員盡在的識別潛在的安全問題並實施相應緩解措施。在設計階段把潛在的威脅發現有助於威脅的全面和更有效的解決,同時也有助於降低開發和後期維護的成本。威脅建模的一般流程如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與系統架構師及設計人員溝通,瞭解設計詳情"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用成熟的威脅建模方法分析當前設計潛在的安全問題"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提出安全建議及對潛在威脅的緩解措施"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對安全設計進行驗證並對整個設計方案進行回顧並再次確認"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟使用的威脅建模方法是STRIDE威脅建模方法。爲了便於安全人員快速便捷的進行威脅建模,微軟開發基於STRIDE威脅建模方法的SDL Threat Modeling Tool["},{"type":"link","attrs":{"href":"http:\/\/blog.nsfocus.net\/sdl\/#_ftn2","title":"","type":null},"content":[{"type":"text","text":"2"},{"type":"text","text":"]"}]},{"type":"text","text":"威脅建模工具,該工具可以幫助安全人員畫數據流圖、分析威脅、生成並導出威脅建模報告。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"STRIDE威脅建模方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"STRIDE介紹"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"STRIDE威脅建模是由微軟提出的一種威脅建模方法,該方法將威脅類型分爲Spoofing(仿冒)、Tampering(篡改)、Repudiation(抵賴)、Information Disclosure(信息泄漏)、Denial of Service(拒絕服務)和 Elevation of Privilege(權限提升)。這六種威脅的首字母縮寫即是STRIDE,STRIDE威脅模型幾乎可以涵蓋目前絕大部分安全問題。此外,STRIDE威脅建模方法有着詳細的流程和方法。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"威脅建模流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"STRIDE威脅建模的一般流程如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"繪製數據流圖"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"識別威脅"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提出緩解措施"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全驗證"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/f8\/7b\/f87af4719f763yy4b2aee2172dee407b.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"STRIDE威脅建模流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"數據流圖"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"數據流圖(Data Flow Diagrams)包含外部實體(External Entity)、處理過程(Process)、數據流(Data Flow)、數據存儲(Data Store),安全人員與系統架構師及設計人員溝通,瞭解設計詳情並畫出數據流圖後還需要標註信任邊界(Trust Boundary),針對簡單的Web應用的數據流圖如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/4f\/23\/4f5b018bb0336aac93f2ff589cbbaa23.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"數據流圖示例及元素類型"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"識別威脅"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"STRIDE威脅建模方法已經明確了每個數據流圖元素具有不同的威脅,其中外部實體只有仿冒(S)、抵賴(R)威脅,數據流只有篡改(T)、信息泄露(I)、拒絕服務(D)威脅,處理過程有所有六種(STRIDE)威脅,存儲過程有篡改(T)、信息泄露(I)、拒絕服務(D)威脅,但如果是日誌類型存儲則還有抵賴(R)威脅。具體可以對照如下表格進行威脅識別:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/a0\/43\/a04943f974248900020880be8bfdd343.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"數據流圖元素對應的不同威脅"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"緩解措施"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據不同的數據流圖元素及威脅,相應的緩解措施也不相同。如本文示例數據流圖中外部實體用戶的仿冒威脅,其緩解措施簡單來說就是對用戶身份進行認證。對於一個Web應用來說,緩解仿冒威脅不僅需要較強的認證機制,還需要防止惡意攻擊者用暴力破解、口令猜測等方法繞過認證從而造成仿冒用戶的威脅。如果筆者來提出該用戶仿冒威脅的緩解措施的話,詳細措施如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對用戶訪問進行帳號密碼、證書等身份認證;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶帳號密碼認證過程中,如果出現三次密碼錯誤,則增加驗證碼機制。輸入驗證碼且正確再進行身份認證;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當用戶認證5次後仍然驗證失敗,則在30分鐘內禁止該帳號登錄;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶密碼必須包含數字、字母及特殊字符,且長度在8位以上,如果業務安全需要則增加密碼過期機制,每隔6個月提醒用戶修改密碼;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在提出緩解措施時,有的時候不僅要考慮安全問題,同時也要考慮軟件的易用性,所以不同的威脅,不同的應用場景。其緩解措施也要隨之而改變以提高應用安全的同時也能給用戶帶來較好的交互體驗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟對於常用的威脅給出了其常用的標準緩解措施,並在具體實施時已將常用的緩解方案及措施集成爲獨立的解決方案或者代碼模塊。可以方便同類應用直接使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/b8\/6a\/b8c60c2f76c4df7fa22e7b744bdb356a.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"安全驗證"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在威脅建模完成後,需要對整個過程進行回顧,不僅要確認緩解措施是否能夠真正緩解潛在威脅,同時驗證數據流圖是否符合設計,代碼實現是否符合預期設計,所有的威脅是否都有相應的緩解措施。最後將威脅建模報告留存檔案,作爲後續迭代開發、增量開發時威脅建模的參考依據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SDL的核心理念是將安全考慮集成在軟件開發的每一個階段:需求分析、設計、編碼、測試和維護。從需求、設計到發佈產品的每一個階段每都增加了相應的安全活動,以減少軟件中漏洞的數量並將安全缺陷降低到最小程度。本文重點介紹了設計階段的安全活動指導思想及STRIDE威脅建模,但SDL的其它階段的不同安全活動也同樣對軟件安全有着重要影響。同時本文介紹的安全設計原則僅爲指導思想,安全設計人員還需要掌握一定的安全攻防知識,具備一定的安全攻防經驗才能更好的設計出安全的方案及軟件應用。另外根據筆者經驗,在實際的安全設計工作中,對於不同軟件及應用場景其面臨的安全問題也不同。隨着互聯網時代發展,目前已經不在是單純的軟件時代了,類似通信設備、移動端應用、智能硬件、雲端、大數據等新形態的應用都面臨的自身特有的安全問題。安全設計人員要考慮的也要更多,但安全設計的核心原則還是相差無幾。由於篇幅及筆者經驗有限,本文所述如有不妥之處可以與筆者聯繫交流。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"("},{"type":"text","marks":[{"type":"strong"}],"text":"本文轉載自綠盟技術博客"},{"type":"text","text":",原文地址:"},{"type":"link","attrs":{"href":"http:\/\/blog.nsfocus.net\/sdl\/","title":"","type":null},"content":[{"type":"text","text":"http:\/\/blog.nsfocus.net\/sdl\/"}]},{"type":"text","text":")"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
詳解安全開發生命週期(SDL)
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全開發生命週期(SDL)是一個幫助開發人員構建更安全的軟件和解決安全合規要求的同時降低開發成本的軟件開發過程。安全應用從安全設計開始,軟件的安全問題很大一部分是由於不安全的設計而引入的,微軟用多年的經驗總結出了安全開發生命週期(SDL),並提出了攻擊面最小化、STRIDE威脅建模等多種方法輔助安全人員對軟件進行安全設計。安全設計對於軟件安全的重要性尤爲可見。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"安全開發生命週期(SDL)是什麼?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"SDL介紹"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全開發生命週期(SDL)即Security Development Lifecycle,是一個幫助開發人員構建更安全的軟件和解決安全合規要求的同時降低開發成本的軟件開發過程。 自2004年起,微軟將SDL作爲全公司的計劃和強制政策,SDL的核心理念就是將安全考慮集成在軟件開發的每一個階段:需求分析、設計、編碼、測試和維護。從需求、設計到發佈產品的每一個階段每都增加了相應的安全活動,以減少軟件中漏洞的數量並將安全缺陷降低到最小程度。安全開發生命週期 (SDL)是側重於軟件開發的安全保證過程,旨在開發出安全的軟件應用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"SDL安全活動"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說,SDL是微軟提出的從安全角度指導軟件開發過程的管理模式,在傳統軟件開發生命週期 (SDLC) 的各個階段增加了一些必要的安全活動,軟件開發的不同階段所執行的安全活動也不同,每個活動就算單獨執行也都能對軟件安全起到一定作用。當然缺少特定的安全活動也會對軟件的安全性帶來影響。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/68\/a0\/688197a77a0c9fd0d12dfc074ce807a0.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"微軟SDL安全活動簡圖"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我曾今有幸參加過微軟安全專家Michael Howard及Taha Mir關於SDL及威脅建模的培訓,作爲《軟件安全開發生命週期》一書的作者,Michael Howard不只一次強調,安全培訓是SDL最核心的概念,軟件是由設計人員設計,代碼是有開發人員編寫。同樣,大部分軟件本身的安全漏洞也是由設計及編碼人員引入,所以對軟件開發過程中的技術人員進行安全培訓這點至關重要。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到在整個SDL週期中,除了安全培訓這項活動,還在軟件發佈後增加了安全應急響應的相關活動,而目前國內大多數公司目前已經基本上具備了安全應急響應的活動和職能部門,同時包括安全編碼規範、代碼審計、滲透測試等安全活動也都已經基本具備甚至個別企業已經比較成熟。但在軟件設計階段的安全活動則相對較少,據我瞭解僅個別大型跨國企業才擁有安全設計等相關的安全活動。而根據微軟多年的實踐和經驗,軟件的安全問題很大一部分是由於不安全的設計而引入的。在設計階段造成的安全缺陷在後期修復的成本和時間都相對較高。STRIDE威脅建模的創始人之一Taha Mir曾說過“safer applications begin with secure design”,即安全應用從安全設計開始,相應的微軟SDL也提出了若干核心的安全設計原則,並提出瞭如攻擊面最小化、STRIDE威脅建模等多種方法輔助安全人員對軟件進行安全設計,本文就針對當前國內企業在軟件設計階段安全活動發展相對欠缺的安全設計進行探討。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"安全設計核心原則"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SDL安全設計核心原則:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Attack Surface Reduction:攻擊面最小化"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Basic Privacy: 基本隱私"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Least Privilege: 權限最小化"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Secure Defaults: 默認安全"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Defense in Depth:縱深防禦"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Threat Modeling:威脅建模"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"攻擊面最小化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊面是指程序任何能被用戶或者其它程序所訪問到的部分,這些暴露給用戶的地方往往也是最可能被惡意攻擊者攻擊的地方。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊面最小化即是指儘量減少暴露惡意用戶可能發現並試圖利用的攻擊面數量。軟件產品的受攻擊面是一個混合體,不僅包括代碼、接口、服務,也包括對所有用戶提供服務的協議。尤其是那些未被驗證或者遠程的用戶都可以訪問到的協議,安全人員在攻擊面最小化時首先要對攻擊面進行分析,攻擊面分析就是枚舉所有訪問入庫、接口、協議一劑可執行代碼的過程,從高層次來說,攻擊面分析着重於:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"降低默認執行的代碼量"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制可訪問到代碼的人員範圍"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限定可訪問到代碼的人員身份"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"降低代碼執行所需權限"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"常見的攻擊面分析技巧如下表:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/95\/b0\/95c8d4dfd93600470ae5b07513707bb0.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"攻擊面分析常用技巧"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊面最小化在微軟的應用實踐示例:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/df\/08\/df975e71071f06f5280577df67e4a908.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"攻擊面最小化微軟實踐示例"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基本隱私"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶使用軟件時無可避免個人信息被收集、使用甚至分發,企業則有責任和義務建立保護個人信息的保護措施,抵禦敵對攻擊行爲,確保用戶基本隱私的安全性。隱私安全是建立可信任應用程序的關鍵因素。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在軟件設計時考慮用戶基本隱私的必要性及意義有:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"履行法律規定和義務"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"增加客戶的信賴"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"防止堵塞部署"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於特殊的軟件或者全球性的產品,設計人員需要明確軟件的行爲及針對人羣。尤其要考慮當地國家的法律法規,如美國兒童網路隱私保護法COPPA(Children’s Online Privacy Protection Act)等,企業在開發產品、服務時有必要制定明確的隱私準則,對獲取、記錄用戶隱私的相關產品需有明確的要求和指導建議。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"只收集程序必須用到的隱私數據,並明確告知用戶並徵得用戶同意;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟對於用戶隱私數據如密碼、口令等均需要加密存儲,最低要求是sha256+salt,對於更高要求的則使用PBKDF2算法加密存儲。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"權限最小化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果一個應用程序或網站被攻擊、破壞,權限最小化機制能夠有效的將潛在損害最小化。常見的權限最小化實踐如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"普通管理員\/系統管理員等角色管理"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"文件只讀權限\/文件訪問權限等訪問控制"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"進程\/服務以所需最小用戶權限運行"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在進行軟件設計時,安全設計人員可以評估應用程序的行爲及功能所需的最低限度權限及訪問級別,從而合理分配相應的權限。如果程序特定情況必須要較高級別的權限,也可以考慮特權賦予及釋放的機制。即便程序遭到攻擊,也可以將損失降到最低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Windows系統中網絡進程、本地服務、用戶進程的權限都較低且互相獨立,分別爲NETWORK SERVICE、LOCAL SERVICE、user權限,只有核心的重要進程實用SYSTEM權限;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最新版本的Office程序打開不可信來源的文檔時,默認時不可編輯的,同時也是默認不可執行代碼的,即使存在緩衝區溢出漏洞,也不會執行shellcode等惡意代碼。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"默認安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"默認安全配置在客戶熟悉安全配置選項之前不僅有利於更好的幫助客戶掌握安全配置經驗,同時也可以確保應用程序初始狀態下處於較安全狀態。而客戶可根據實際使用情況而決定應用程序安全與隱私的等級水平是否降低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Win 7之後的Windows操作系統中,DEP(數據執行保護)默認是開啓的。用戶可設置選項改變DEP的狀態;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Win 10默認啓用安全防護軟件Windows Defender,用戶可選擇關閉。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"縱深防禦"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與默認安全一樣,縱深防禦也是設計安全方案時的重要指導思想。縱深防禦包含兩層含義:首先,要在各個不同層面、不同方面實施安全方案,避免出現疏漏,不同安全方案之間需要相互配合,構成一個整體;其次,要在正確的地方做正確的事情,即:在解決根本問題的地方實施針對性的安全方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"縱深防禦並不是同一個安全方案要做兩遍或多遍,而是要從不同的層面、不同的角度對系統做出整體的解決方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Tips:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對XSS的防護,除了要對用戶輸入的特殊符號進行過濾,還要區分是否是富文本進而進行相應編碼操作,在輸入時過濾的同時在輸出時也進行過濾操作;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即使做了十足的過濾、編碼等安全防護,爲了更一步確保緩解XSS攻擊,Web站點也可以對Cookie啓用HTTP-Only屬性,確保即使發生XSS攻擊,也可以阻止通過腳本訪問Cookie的操作。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"威脅建模"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"威脅建模是一種分析應用程序威脅的過程和方法。這裏的威脅是指惡意用戶可能會試圖利用以破壞系統,和我們常說的漏洞並不相同。漏洞是一個特定的可以被利用的威脅,如緩衝區溢出、sql注入等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲SDL設計階段的一部分安全活動,威脅建模允許安全設計人員盡在的識別潛在的安全問題並實施相應緩解措施。在設計階段把潛在的威脅發現有助於威脅的全面和更有效的解決,同時也有助於降低開發和後期維護的成本。威脅建模的一般流程如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與系統架構師及設計人員溝通,瞭解設計詳情"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用成熟的威脅建模方法分析當前設計潛在的安全問題"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提出安全建議及對潛在威脅的緩解措施"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對安全設計進行驗證並對整個設計方案進行回顧並再次確認"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟使用的威脅建模方法是STRIDE威脅建模方法。爲了便於安全人員快速便捷的進行威脅建模,微軟開發基於STRIDE威脅建模方法的SDL Threat Modeling Tool["},{"type":"link","attrs":{"href":"http:\/\/blog.nsfocus.net\/sdl\/#_ftn2","title":"","type":null},"content":[{"type":"text","text":"2"},{"type":"text","text":"]"}]},{"type":"text","text":"威脅建模工具,該工具可以幫助安全人員畫數據流圖、分析威脅、生成並導出威脅建模報告。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"STRIDE威脅建模方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"STRIDE介紹"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"STRIDE威脅建模是由微軟提出的一種威脅建模方法,該方法將威脅類型分爲Spoofing(仿冒)、Tampering(篡改)、Repudiation(抵賴)、Information Disclosure(信息泄漏)、Denial of Service(拒絕服務)和 Elevation of Privilege(權限提升)。這六種威脅的首字母縮寫即是STRIDE,STRIDE威脅模型幾乎可以涵蓋目前絕大部分安全問題。此外,STRIDE威脅建模方法有着詳細的流程和方法。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"威脅建模流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"STRIDE威脅建模的一般流程如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"繪製數據流圖"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"識別威脅"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提出緩解措施"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全驗證"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/f8\/7b\/f87af4719f763yy4b2aee2172dee407b.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"STRIDE威脅建模流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"數據流圖"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"數據流圖(Data Flow Diagrams)包含外部實體(External Entity)、處理過程(Process)、數據流(Data Flow)、數據存儲(Data Store),安全人員與系統架構師及設計人員溝通,瞭解設計詳情並畫出數據流圖後還需要標註信任邊界(Trust Boundary),針對簡單的Web應用的數據流圖如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/4f\/23\/4f5b018bb0336aac93f2ff589cbbaa23.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"數據流圖示例及元素類型"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"識別威脅"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"STRIDE威脅建模方法已經明確了每個數據流圖元素具有不同的威脅,其中外部實體只有仿冒(S)、抵賴(R)威脅,數據流只有篡改(T)、信息泄露(I)、拒絕服務(D)威脅,處理過程有所有六種(STRIDE)威脅,存儲過程有篡改(T)、信息泄露(I)、拒絕服務(D)威脅,但如果是日誌類型存儲則還有抵賴(R)威脅。具體可以對照如下表格進行威脅識別:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/a0\/43\/a04943f974248900020880be8bfdd343.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"數據流圖元素對應的不同威脅"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"緩解措施"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據不同的數據流圖元素及威脅,相應的緩解措施也不相同。如本文示例數據流圖中外部實體用戶的仿冒威脅,其緩解措施簡單來說就是對用戶身份進行認證。對於一個Web應用來說,緩解仿冒威脅不僅需要較強的認證機制,還需要防止惡意攻擊者用暴力破解、口令猜測等方法繞過認證從而造成仿冒用戶的威脅。如果筆者來提出該用戶仿冒威脅的緩解措施的話,詳細措施如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對用戶訪問進行帳號密碼、證書等身份認證;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶帳號密碼認證過程中,如果出現三次密碼錯誤,則增加驗證碼機制。輸入驗證碼且正確再進行身份認證;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當用戶認證5次後仍然驗證失敗,則在30分鐘內禁止該帳號登錄;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶密碼必須包含數字、字母及特殊字符,且長度在8位以上,如果業務安全需要則增加密碼過期機制,每隔6個月提醒用戶修改密碼;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在提出緩解措施時,有的時候不僅要考慮安全問題,同時也要考慮軟件的易用性,所以不同的威脅,不同的應用場景。其緩解措施也要隨之而改變以提高應用安全的同時也能給用戶帶來較好的交互體驗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟對於常用的威脅給出了其常用的標準緩解措施,並在具體實施時已將常用的緩解方案及措施集成爲獨立的解決方案或者代碼模塊。可以方便同類應用直接使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/b8\/6a\/b8c60c2f76c4df7fa22e7b744bdb356a.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"安全驗證"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在威脅建模完成後,需要對整個過程進行回顧,不僅要確認緩解措施是否能夠真正緩解潛在威脅,同時驗證數據流圖是否符合設計,代碼實現是否符合預期設計,所有的威脅是否都有相應的緩解措施。最後將威脅建模報告留存檔案,作爲後續迭代開發、增量開發時威脅建模的參考依據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SDL的核心理念是將安全考慮集成在軟件開發的每一個階段:需求分析、設計、編碼、測試和維護。從需求、設計到發佈產品的每一個階段每都增加了相應的安全活動,以減少軟件中漏洞的數量並將安全缺陷降低到最小程度。本文重點介紹了設計階段的安全活動指導思想及STRIDE威脅建模,但SDL的其它階段的不同安全活動也同樣對軟件安全有着重要影響。同時本文介紹的安全設計原則僅爲指導思想,安全設計人員還需要掌握一定的安全攻防知識,具備一定的安全攻防經驗才能更好的設計出安全的方案及軟件應用。另外根據筆者經驗,在實際的安全設計工作中,對於不同軟件及應用場景其面臨的安全問題也不同。隨着互聯網時代發展,目前已經不在是單純的軟件時代了,類似通信設備、移動端應用、智能硬件、雲端、大數據等新形態的應用都面臨的自身特有的安全問題。安全設計人員要考慮的也要更多,但安全設計的核心原則還是相差無幾。由於篇幅及筆者經驗有限,本文所述如有不妥之處可以與筆者聯繫交流。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"("},{"type":"text","marks":[{"type":"strong"}],"text":"本文轉載自綠盟技術博客"},{"type":"text","text":",原文地址:"},{"type":"link","attrs":{"href":"http:\/\/blog.nsfocus.net\/sdl\/","title":"","type":null},"content":[{"type":"text","text":"http:\/\/blog.nsfocus.net\/sdl\/"}]},{"type":"text","text":")"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章