存档

文章标签 ‘安全开发生命周期’

pysonar,一个针对python的代码静态分析工具

2013年10月30日 没有评论

随着python的流行,它被使用的越来越广泛,而一个不错的代码静态分析工具则可以帮助pyer改进python代码质量。

王垠开发了一个叫pysonar的工具,有兴趣的pyer可以体验下,另外fortify也有for python的模块。

pysonar详见 https://github.com/yinwang0/pysonar2

 

密码保护:代码静态分析产品的需求和想法

2012年9月1日 要查看留言请输入您的密码。

这是一篇受密码保护的文章,您需要提供访问密码:

微软出的attack surface分析工具,赞一个

2012年8月7日 没有评论

想要了解应用程序的攻击界面(Attack Surface)吗? 微软今天发布了攻击界面分析器 1.0(Attack Surface Analyzer 1.0), 其中包括了对beta版的性能提高,bug修复和参考文档, 现在就来下载吧! http://www.microsoft.com/en-us/download/details.aspx?id=24487

Triage,linux下的exploitable

2012年4月26日 没有评论

微软的!exploitable很好用,linux的也出来了,在http://www.cert.org/vuls/discovery/triage.html

希望苹果的exploitable能早日出来 。

Threat Risk Modeling

2011年8月17日 没有评论

When you start a web application design, it is essential to apply threat risk modeling; otherwise you will squander resources, time, and money on useless controls that fail to focus on the real risks.

The method used to assess risk is not nearly as important as actually performing a structured threat risk modeling. Microsoft notes that the single most important factor in their security improvement program was the corporate adoption of threat risk modeling.

阅读全文…

High-Level Threat Modelling Process

2011年8月17日 没有评论

The following is a (slightly modified) version of a document I wrote for the VSTO team way back in the day. You might find it useful as you plan threat modelling for your product(s). You should of course read the Threat Modelling book from Microsoft Press if you want to go into great details about how to do a good job of threat modelling, but this might be enough to get you started on a plan.

阅读全文…

Guerrilla Threat Modelling

2011年8月17日 没有评论

 I’m not talking about writing a threat model for a large, furry ape (although that would be fun); I’m talking about writing quick-and-dirty threat models when you don’t have time to do the real thing. If you want to do threat modelling properly, I highly recommend you read Frank and Window’s “Threat Modeling” [sic] book from Microsoft Press; but if you just need to get one done, you might not have the time or inclination for that.

阅读全文…

Create a good threat model in 10 simple steps

2011年8月16日 没有评论

 How can I get a great and secure product without killing myself? This is not just a question for how-to diet magazines; it’s a legitimate business problem. I teach the ACE Threat Modeling class (First Wednesday of every month!), and that is the question I hear most often.

阅读全文…

Threat Modeling Express

2011年8月16日 没有评论

这个是精简型的TM,不错。

阅读全文…

Introduction to Security Threat Modeling

2011年8月16日 没有评论

Security threat modeling, or threat modeling, is a process of assessing and documenting a system抯 security risks. Security threat modeling enables you to understand a system抯 threat profile by examining it through the eyes of your potential foes. With techniques such as entry point identification, privilege boundaries and threat trees, you can identify strategies to mitigate potential threats to your system. Your security threat modeling efforts also enable your team to justify security features within a system, or security practices for using the system, to protect your corporate assets.

阅读全文…