With decades of maturity and refinement, a lot has been learned, collected, and published about
threat modeling. So much, in fact, that the process has nearly become its own domain of
expertise, hence entire books dedicated to the subject. The main challenge with this established
domain is its ability to keep pace with changes in how modern applications and engineering
are being performed:
Processes, methodologies, and recommendations are optimized towards obtaining the
most comprehensive risk analysis and not necessarily cost-effective nor time-minimal
uses in fast-moving engineering teams (CI/CD)
Favoring of full/end-to-end system scope, which does not align with Agile, incremental,
and other limited-scope engineering practices
Total system ownership expectations that drastically increase modelling complexity when
reviewing serverless application designs
Desiring clearly delineated internal vs external boundaries that are significantly difficult to
represent when using cloud service providers (CSPs) and other PaaS/IaaS services; the
problem is compounded due to many CSPs having a publicly accessible management
plane and other nuances causing a porous perimeter
5
The remainder of this article is going to
look at how these challenges manifest
when attempting to threat model a web
application undergoing evolution from a
classic design to a modern CSP-centric
architecture.
“Note that a sufficiently robust
design review process cannot be
executed at CI/CD speed.”
Building Security In Maturity Model
9 (BSIMM9, AA1.2)
剩余24页未读,继续阅读
犬大犬小
- 粉丝: 64
- 资源: 2
我的内容管理
展开
最新资源
- AirKiss技术详解:无线传递信息与智能家居连接
- Hibernate主键生成策略详解
- 操作系统实验:位示图法管理磁盘空闲空间
- JSON详解:数据交换的主流格式
- Win7安装Ubuntu双系统详细指南
- FPGA内部结构与工作原理探索
- 信用评分模型解析:WOE、IV与ROC
- 使用LVS+Keepalived构建高可用负载均衡集群
- 微信小程序驱动餐饮与服装业创新转型:便捷管理与低成本优势
- 机器学习入门指南:从基础到进阶
- 解决Win7 IIS配置错误500.22与0x80070032
- SQL-DFS:优化HDFS小文件存储的解决方案
- Hadoop、Hbase、Spark环境部署与主机配置详解
- Kisso:加密会话Cookie实现的单点登录SSO
- OpenCV读取与拼接多幅图像教程
- QT实战:轻松生成与解析JSON数据
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
