威胁建模工具入门Getting started with the Threat Modeling Tool

Microsoft Threat Modeling Tool 2018 在 2018 年 9 月作为 GA 发布,是免费的单击下载版本。The Microsoft Threat Modeling Tool 2018 was released as GA in September 2018 as a free click-to-download. 交付机制中的更改使我们能够在客户每次打开该工具时向他们推送最新的改进和 bug 修复,使其更易于维护和使用。The change in delivery mechanism allows us to push the latest improvements and bug fixes to customers each time they open the tool, making it easier to maintain and use. 本文将指导你开始使用 Microsoft SDL 威胁建模方法的过程,并演示如何使用该工具来开发优秀的威胁模型,以作为安全进程的主干。This article takes you through the process of getting started with the Microsoft SDL threat modeling approach and shows you how to use the tool to develop great threat models as a backbone of your security process.

本文基于 SDL 威胁建模方法的现有认知。This article builds on existing knowledge of the SDL threat modeling approach. 若要快速查看,请参阅威胁建模 Web 应用程序For a quick review, refer to Threat Modeling Web Applications.

简而言之,此方法涉及创建关系图、识别威胁、缓解问题和验证每个缓解操作。To quickly summarize, the approach involves creating a diagram, identifying threats, mitigating them and validating each mitigation. 下面是一个重点介绍此过程的关系图:Here's a diagram that highlights this process:

SDL 进程

开始威胁建模进程Starting the threat modeling process

启动威胁建模工具时,将注意到下图显示的几项:When you launch the Threat Modeling Tool, you'll notice a few things, as seen in the picture:

空白起始页

威胁模型部分Threat model section

组件Component 详细信息Details
反馈、建议和问题按钮Feedback, Suggestions and Issues Button 会指向有关 SDL 所有各项的 MSDN 论坛Takes you the MSDN Forum for all things SDL. 让你有机会了解其他用户在执行哪些操作,以及解决方法和建议等信息。It gives you an opportunity to read through what other users are doing, along with workarounds and recommendations. 如果仍然找不到要查找的内容,请发送电子邮件至 tmtextsupport@microsoft.com,让我们的支持团队帮助你If you still can't find what you're looking for, email tmtextsupport@microsoft.com for our support team to help you
创建模型Create a Model 为你打开空白画布以绘制关系图。Opens a blank canvas for you to draw your diagram. 请确保选择要用于你的模型的模板Make sure to select which template you'd like to use for your model
新模型的模板Template for New Models 创建模型前,必须选出想要使用的模板。You must select which template to use before creating a model. 我们的主要模板是 Azure 威胁模型模板,其中包含特定于 Azure 的模具、威胁和缓解操作。Our main template is the Azure Threat Model Template, which contains Azure-specific stencils, threats and mitigations. 对于通用模型,请从下拉菜单中选择 SDL TM 知识库。For generic models, select the SDL TM Knowledge Base from the drop-down menu. 想要创建自己的模板或为所有用户提交新的模板?Want to create your own template or submit a new one for all users? 查看我们的 模板存储库 GitHub 页以了解详细信息Check out our Template Repository GitHub Page to learn more
打开模型Open a Model

打开以前保存的威胁模型。Opens previously saved threat models. 如需打开最近经常使用的文件,“最近打开的模型”功能很实用。The Recently Opened Models feature is great if you need to open your most recent files. 将鼠标悬停在选项上方时,可以看到打开模型的两种方法:When you hover over the selection, you'll find 2 ways to open models:

  • “从本计算机打开” - 使用本地存储打开文件的经典方法Open From this Computer classic way of opening a file using local storage
  • “从 OneDrive 打开”- 团队可以使用 OneDrive 中的文件夹在单个位置保存和共享所有威胁模型,这样可以提升工作效率和协作效率Open from OneDrive teams can use folders in OneDrive to save and share all their threat models in a single location to help increase productivity and collaboration

入门指南Getting Started Guide 打开 Microsoft 威胁建模工具 主页Opens the Microsoft Threat Modeling Tool main page

模板部分Template section

组件Component 详细信息Details
新建模板Create New Template 打开空模板以进行构建。Opens a blank template for you to build on. 除非你掌握从零开始构建模板的大量知识,否则我们建议你从现有的模板开始构建。Unless you have extensive knowledge in building templates from scratch, we recommend you to build from existing ones
打开模板Open Template 为你打开要进行更改的现有模板Opens existing templates for you to make changes to

威胁建模工具团队持续致力于改进工具的功能和提升体验。The Threat Modeling Tool team is constantly working to improve tool functionality and experience. 在这一年中,可能会发生一些小的更改,但是所有主要更改都需要在指南中进行重写。A few minor changes might take place over the course of the year, but all major changes require rewrites in the guide. 请经常参阅它以确保获取最新的公告。Refer to it often to ensure you get the latest announcements.

构建模型Building a model

在本部分中,我们将讨论:In this section, we follow:

  • Cristina(开发人员)Cristina (a developer)
  • Ricardo(计划经理)Ricardo (a program manager) and
  • Ashish(测试人员)Ashish (a tester)

他们将进行开发他的首个威胁模型的过程。They are going through the process of developing their first threat model.

Ricardo:你好 Cristina,我在研究威胁模型关系图,想要确保我们所进行的细节都没有任何问题。Ricardo: Hi Cristina, I worked on the threat model diagram and wanted to make sure we got the details right. 你可以帮我看一下吗?Can you help me look it over? Cristina:绝对是。Cristina: Absolutely. 让我们一起看一下。Let's take a look. Ricardo 打开该工具并将他的屏幕与 Cristina 共享。Ricardo opens the tool and shares his screen with Cristina.

基本威胁模型

Cristina:好的,我们直接看,不过可以先向我介绍一下整体情况吗?Cristina: Ok, looks straightforward, but can you walk me through it? Ricardo:当然!Ricardo: Sure! 这是结构细节:Here is the breakdown:

  • 我们的人类用户被绘制为外部实体(正方形)Our human user is drawn as an outside entity a square
  • 他们正向我们的 Web 服务器发送命令(圆圈)They're sending commands to our Web server the circle
  • Web 服务器正向数据库发出请求(两条平行线)The Web server is consulting a database (two parallel lines)

Ricardo 刚才向 Cristina 介绍的是 DFD,即“数据流关系图”的简写。What Ricardo just showed Cristina is a DFD, short for Data Flow Diagram. 威胁建模工具可使用户指定信任边界(用红色虚线显示),以显示不同的实体被控制的位置。The Threat Modeling Tool allows users to specify trust boundaries, indicated by the red dotted lines, to show where different entities are in control. 例如,IT 管理员需要 Active Directory 系统以进行身份验证,因此 Active Directory 是不受其控制的。For example, IT administrators require an Active Directory system for authentication purposes, so the Active Directory is outside of their control.

Cristina:我觉得没问题。Cristina: Looks right to me. 关于威胁呢?What about the threats? Ricardo:让我给你看一下。Ricardo: Let me show you.

分析威胁Analyzing threats

单击图标菜单选项(带有放大镜的文件)中的“分析视图”后,即转到 Threat Modeling Tool 基于默认模板发现的已生成威胁的列表,该列表使用称为“欺骗、篡改、信息泄露、否认、拒绝服务和特权提升”的 SDL 方法。Once he clicks on the analysis view from the icon menu selection (file with magnifying glass), he is taken to a list of generated threats the Threat Modeling Tool found based on the default template, which uses the SDL approach called Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege. 思路是,软件来自可预测的一组威胁,可使用这 6 类找到。The idea is that software comes under a predictable set of threats, which can be found using these 6 categories.

此方法类似于通过先确保房子里的每扇门、每扇窗都锁好来保护房屋的安全,然后再添加警报或抓小偷。This approach is like securing your house by ensuring each door and window has a locking mechanism in place before adding an alarm system or chasing after the thief.

基本威胁

Ricardo 先从选择列表上的第一项开始。Ricardo begins by selecting the first item on the list. 下面是发生的具体情况:Here's what happens:

首先,两个模具之间的交互得到了增强First, the interaction between the two stencils is enhanced

交互

其次,有关威胁的其他信息显示在威胁属性窗口中Second, additional information about the threat appears in the Threat Properties window

交互信息

生成的威胁帮助他了解潜在的设计缺陷。The generated threat helps him understand potential design flaws. STRIDE 分类为他提供了有关潜在的攻击途径的思路,而其他说明能够让他了解具体问题所在,以及缓解问题可能使用的方法。The STRIDE categorization gives him an idea on potential attack vectors, while the additional description tells him exactly what's wrong, along with potential ways to mitigate it. 他可以使用可编辑字段在理由详细信息中撰写说明,或根据其组织的 bug 栏更改优先级评定。He can use editable fields to write notes in the justification details or change priority ratings depending on his organization's bug bar.

Azure 模板具有附加详细信息,不仅帮助用户了解问题所在,还能通过向特定于 Azure 的文档添加说明、示例和超链接来帮助他们了解如何修复此问题。Azure templates have additional details to help users understand not only what's wrong, but also how to fix it by adding descriptions, examples and hyperlinks to Azure-specific documentation.

该说明使用户意识到添加身份验证机制的重要性,以阻止用户被欺骗,并揭开要着手解决的第一个威胁。The description made him realize the importance of adding an authentication mechanism to prevent users from being spoofed, revealing the first threat to be worked on. 与 Cristina 讨论几分钟后,他们了解了实现访问控制和角色的重要性。A few minutes into the discussion with Cristina, they understood the importance of implementing access control and roles. Ricardo 补充了一些快速说明,以确保这些操作得以实行。Ricardo filled in some quick notes to make sure these were implemented.

在 Ricardo 进入信息泄露下的威胁后,他意识到访问控制计划需要一些供审核和报告生成的只读帐户。As Ricardo went into the threats under Information Disclosure, he realized the access control plan required some read-only accounts for audit and report generation. 他想知道这是否是一个新威胁,但是缓解操作是相同的,所以他相应注意到了该威胁。He wondered whether this should be a new threat, but the mitigations were the same, so he noted the threat accordingly. 此外,他还进一步考虑了信息披露并意识到备份磁带需要让运行小组进行加密。He also thought about information disclosure a bit more and realized that the backup tapes were going to need encryption, a job for the operations team.

由于现有缓解或安全保证而不适用于设计的威胁可以从“状态”下拉列表中更改为“不适用”。Threats not applicable to the design due to existing mitigations or security guarantees can be changed to Not Applicable from the Status drop-down. 有三个其他选项:未启动 - 默认选择;需要调查 - 用于跟进项目;已缓解 - 完全处理后。There are three other choices: Not Started default selection, Needs Investigation used to follow up on items and Mitigated once it's fully worked on.

报表和共享Reports & sharing

Ricardo 和 Cristina 查看列表并添加重要事项、缓解/理由、优先项和状态更改后,他选择“报表” -> “创建完整报表” -> “保存报表”,该操作将为他打印出一份完整的报表,让他与同事们一起查看,以确保执行了适当的安全操作。Once Ricardo goes through the list with Cristina and adds important notes, mitigations/justifications, priority and status changes, he selects Reports -> Create Full Report -> Save Report, which prints out a nice report for him to go through with colleagues to ensure the proper security work is implemented.

交互信息

相反,如果 Ricardo 想要共享该文件,他可以通过在他组织的 OneDrive 帐户中保存而轻松地实现此操作。If Ricardo wants to share the file instead, he can easily do so by saving in his organization's OneDrive account. 实现此操作后,他可以复制该文档链接并将其与他的同事共享。Once he does that, he can copy the document link and share it with his colleagues.

威胁建模会议Threat modeling meetings

当 Ricardo 使用 OneDrive 将他的威胁模型发送给他的同事后,测试人员 Ashish 并不十分欣赏。When Ricardo sent his threat model to his colleague using OneDrive, Ashish, the tester, was underwhelmed. 似乎 Ricardo 和 Cristina 错过了相当重要的几个极端案例,而这极易受到威胁。Seemed like Ricardo and Cristina missed quite a few important corner cases, which could be easily compromised. 他的怀疑是对威胁模型的补充。His skepticism is a complement to threat models.

在此方案中,Ashish 接管威胁模型后,他发起了两个威胁建模会议:第一个会议是同步进程并介绍关系图,第二个会议是有关威胁评审和注销。In this scenario, after Ashish took over the threat model, he called for two threat modeling meetings: one meeting to synchronize on the process and walk through the diagrams and then a second meeting for threat review and sign-off.

在第一个会议里,Ashish 用了 10 分钟的时间向大家介绍 SDL 威胁建模过程。In the first meeting, Ashish spent 10 minutes walking everyone through the SDL threat modeling process. 然后,他拉出威胁模型关系图并开始进行详细说明。He then pulled up the threat model diagram and started explaining it in detail. 在 5 分钟内,已经识别出一个重要的缺失组件。Within five minutes, an important missing component had been identified.

几分钟后,Ashish 和 Ricardo 就 Web 服务器构建的方式开始展开了广泛的讨论。A few minutes later, Ashish and Ricardo got into an extended discussion of how the Web server was built. 这不是会议继续的理想方式,但大家最终同意尽早发现差异可以在未来节省大家的时间。It was not the ideal way for a meeting to proceed, but everyone eventually agreed that discovering the discrepancy early was going to save them time in the future.

在第二个会议里,团队浏览了威胁,并讨论了解决威胁的一些方法,并在威胁模型上注销。In the second meeting, the team walked through the threats, discussed some ways to address them, and signed off on the threat model. 他们将文档签入源控件并继续进行开发。They checked the document into source control and continued with development.

想一想资产Thinking about assets

进行威胁建模的某些读者可能注意到我们根本没有讨论过资产。Some readers who have threat modeled may notice that we haven't talked about assets at all. 我们已经发现了,许多软件工程师对其软件的了解要比他们对资产概念以及攻击者可能感兴趣的资产的了解要多得多。We've discovered that many software engineers understand their software better than they understand the concept of assets and what assets an attacker may be interested in.

如果你计划针对房子做一个威胁建模,你可能开始思考你的家庭、独一无二的照片或贵重的艺术品。If you're going to threat model a house, you might start by thinking about your family, irreplaceable photos or valuable artwork. 可能你开始思考谁有可能侵入当前的安全系统。Perhaps you might start by thinking about who might break in and the current security system. 或者,你可能开始考虑物理功能,如水池或前门廊。Or you might start by considering the physical features, like the pool or the front porch. 考虑资产、攻击者或软件设计时,这些方法都很类似。These are analogous to thinking about assets, attackers, or software design. 以上这三种方法都适用。Any of these three approaches work.

我们在此处介绍的威胁建模的方法基本上比 Microsoft 过去使用的方法要简单得多。The approach to threat modeling we've presented here is substantially simpler than what Microsoft has done in the past. 我们发现软件设计方法对我们的团队很适用。We found that the software design approach works well for many teams. 我们希望该方法对你也适用。We hope that include yours.

后续步骤Next Steps

将你的问题、评论和疑问发送至 tmtextsupport@microsoft.com。Send your questions, comments and concerns to tmtextsupport@microsoft.com. 下载 威胁建模工具以开始。Download the Threat Modeling Tool to get started.