In the past, when we established and developed web applications, especially engineering projects to be deployed on the Internet, we had to consider security issues more or less and analyze possible vulnerabilities to determine how to effectively prevent attacks, however, few companies or individuals attribute such behavior activities to project modeling. Only a group of people come up with an imperfect defense solution through discussion and analysis, even more, many applications are waiting for the deployment to fix the relevant vulnerabilities, which makes the developers exhausted and hurt the "talent ".
Before application development, how can we notice as many system vulnerabilities as possible in the design and analysis phase? A relatively complete modeling system needs to be established. Yesterday (), msdn launched a seriesArticleThreat modeling Web ApplicationsProgramThis Guide provides the patterns & Practices method to create a threat model for Web applications. Describes [Threat modeling], [Threat modeling], five main steps of [Threat modeling], and related concepts and resources;
Of course, even in this case, it is still impossible to completely avoid application attacks. However, by studying these technical documents, we can better identify security targets, identify related threats, and determine relevant vulnerabilities and countermeasures, make the application design meet your security goals, reduce the risks of security problems arising during development and operations, and draw many ideas about security modeling, more effective development of safer web application systems;
The following is the URL of the sorted resources for easy reading.
· Threat modeling Web Applications
· Web application threat model Overview
· "How to: create a threat model for Web applications during design"
· "Drill: creating a threat model for Web applications"
· "Template: Web application threat model"
· "Template example: Web application threat model"
· "Memo sheet: Web Application Security Framework"
at the same time, I hope you can talk about how you used to perform the above Modeling Behavior? Is a group of people come up with a defense scheme through discussion and analysis, or will they be able to remedy it after being attacked after deployment? Welcome to the speech