Writing Secure Code
Michael Howard, David LeBlanc
Language: English
Pages: 477
ISBN: 0735615888
Format: PDF / Kindle (mobi) / ePub
skills in-house, hire a security consulting company that offers quality, real-world training courses to upskill your employees. Important There are two aspects to security training. The first is to teach people about security issues so that they can look over their current product and find and fix security bugs. However, the ultimate and by far the most important goal of security education is to teach people not to introduce security flaws into the product in the first place! C02617228.fm Page
Details about Amoroso’s book can be found in the bibliography of this book. The idea behind threat trees is that an application is composed of threat targets and that each target could have vulnerabilities that when successfully C04617228.fm Page 87 Friday, October 25, 2002 4:41 PM Chapter 4 Threat Modeling 87 attacked could compromise the system. The threat tree describes the decisionmaking process an attacker would go through to compromise the component. When the decomposition process
gives you an inventory of application components, you start identifying threats to each of those components. Once you identify a potential threat, you then determine how that threat could manifest itself by using threat trees. Threats, Vulnerabilities, Assets, Threat Targets, Attacks, and Motives A threat to a system is a potential event that will have an unwelcome consequence if it becomes an attack. A vulnerability is a weakness in a system, such as a coding bug or a design flaw. An attack
you to build a severity matrix that will help you prioritize how to deal with the issues you uncover. Path Analysis: Breaking a Camel’s Back with Many Straws You’ll frequently find that a number of seemingly small vulnerabilities can combine to become a very large problem. If you’re dealing with a complex system, you need to examine all of the paths from which you can arrive at a certain point in your data flow diagram. In engineering, a system is determined to be nonlinear if you can have
it or turning off its power) or using attack techniques to make it inaccessible (via DNS hijacking or flooding the computer). Threat #2 Upload rogue Web page(s) and 2.1 Authentication is insecure 2.2 Authorization is insecure 2.1.2 Administrative security error 2.2.1 Administrative security error The default is secure The default is secure Figure 4-10 F04GO10 Threat tree for Threat #2. 2.3 Bribe authorized Web developer or admin If this is true, we have bigger issues! 2.4 Compromise