Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture

Crawley, Brett, Shostack, Adam

  • 出版商: Packt Publishing
  • 出版日期: 2024-08-09
  • 售價: $1,840
  • 貴賓價: 9.5$1,748
  • 語言: 英文
  • 頁數: 256
  • 裝訂: Quality Paper - also called trade paper
  • ISBN: 1804618977
  • ISBN-13: 9781804618974
  • 相關分類: 軟體架構
  • 海外代購書籍(需單獨結帳)

相關主題

商品描述

Work with over 150 real-world examples of threat manifestation in software development and identify similar design flaws in your systems using the EoP game, along with actionable solutions

Key Features:

- Apply threat modeling principles effectively with step-by-step instructions and support material

- Explore practical strategies and solutions to address identified threats, and bolster the security of your software systems

- Develop the ability to recognize various types of threats and vulnerabilities within software systems

- Purchase of the print or Kindle book includes a free PDF eBook

Book Description:

Are you looking to navigate security risks, but want to make your learning experience fun? Here's a comprehensive guide that introduces the concept of play to protect, helping you discover the threats that could affect your software design via gameplay.

Each chapter in this book covers a suit in the Elevation of Privilege (EoP) card deck (a threat category), providing example threats, references, and suggested mitigations for each card. You'll explore the methodology for threat modeling-Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of Privilege (S.T.R.I.D.E.) with Privacy deck and the T.R.I.M. extension pack. T.R.I.M. is a framework for privacy that stands for Transfer, Retention/Removal, Inference, and Minimization. Throughout the book, you'll learn the meanings of these terms and how they should be applied. From spotting vulnerabilities to implementing practical solutions, the chapters provide actionable strategies for fortifying the security of software systems.

By the end of this book, you will be able to recognize threats, understand privacy regulations, access references for further exploration, and get familiarized with techniques to protect against these threats and minimize risks.

What You Will Learn:

- Understand the Elevation of Privilege card game mechanics

- Get to grips with the S.T.R.I.D.E. threat modeling methodology

- Explore the Privacy and T.R.I.M. extensions to the game

- Identify threat manifestations described in the games

- Implement robust security measures to defend against the identified threats

- Comprehend key points of privacy frameworks, such as GDPR to ensure compliance

Who this book is for:

This book serves as both a reference and support material for security professionals and privacy engineers, aiding in facilitation or participation in threat modeling sessions. It is also a valuable resource for software engineers, architects, and product managers, providing concrete examples of threats to enhance threat modeling and develop more secure software designs. Furthermore, it is suitable for students and engineers aspiring to pursue a career in application security. Familiarity with general IT concepts and business processes is expected.

Table of Contents

- Game Play

- Spoofing

- Tampering

- Repudiation

- Information Disclosure

- Denial of Service

- Elevation of Privilege

- Privacy

- Transfer

- Retention/Removal

- Inference

- Minimization

- Glossary

- Further Reading

商品描述(中文翻譯)

與超過150個真實案例的威脅表現進行合作,並使用EoP遊戲識別您系統中的類似設計缺陷,提供可行的解決方案。

主要特點:
- 透過逐步指導和支援材料有效應用威脅建模原則
- 探索實用策略和解決方案以應對已識別的威脅,並加強您的軟體系統安全性
- 培養識別軟體系統中各類威脅和漏洞的能力
- 購買印刷版或Kindle書籍可獲得免費PDF電子書

書籍描述:
您是否希望在應對安全風險的同時,讓學習過程變得有趣?這本綜合指南介紹了「遊戲保護」的概念,幫助您透過遊戲發現可能影響您軟體設計的威脅。

本書的每一章涵蓋了特權提升(EoP)卡組中的一種威脅類別,提供每張卡的示例威脅、參考資料和建議的緩解措施。您將探索威脅建模的方法論,包括偽裝、篡改、否認、資訊洩露和特權提升(S.T.R.I.D.E.),以及隱私卡組和T.R.I.M.擴展包。T.R.I.M.是一個隱私框架,代表轉移、保留/移除、推斷和最小化。在整本書中,您將學習這些術語的含義及其應用方式。從識別漏洞到實施實用解決方案,各章節提供了加強軟體系統安全的可行策略。

在本書結束時,您將能夠識別威脅、理解隱私法規、獲取進一步探索的參考資料,並熟悉保護這些威脅和最小化風險的技術。

您將學到的內容:
- 理解特權提升卡牌遊戲的機制
- 熟悉S.T.R.I.D.E.威脅建模方法論
- 探索遊戲的隱私和T.R.I.M.擴展
- 識別遊戲中描述的威脅表現
- 實施強健的安全措施以防禦已識別的威脅
- 理解隱私框架的關鍵要點,如GDPR,以確保合規性

本書適合對象:
本書作為安全專業人士和隱私工程師的參考和支援材料,幫助促進或參與威脅建模會議。它也是軟體工程師、架構師和產品經理的寶貴資源,提供具體的威脅示例以增強威脅建模並開發更安全的軟體設計。此外,它適合有志於從事應用安全的學生和工程師。預期讀者對一般IT概念和商業流程有一定的了解。

目錄:
- 遊戲玩法
- 偽裝
- 篡改
- 否認
- 資訊洩露
- 拒絕服務
- 特權提升
- 隱私
- 轉移
- 保留/移除
- 推斷
- 最小化
- 詞彙表
- 進一步閱讀