01.相关术语
作者:mour
协作:Lost Maniac
SDL
SDL是在软件开发过程中帮助开发人员构建更安全的软件并解决安全问题,同时降低开发成本的一套流程方法。
The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost
ROI
投资回报率(ROI)是指一些资源投资产生的净利润和投资成本之间的比率。高投资回报率意味着投资收益与其成本相比有利。作为绩效衡量指标,ROI用于评估投资效率或比较几种不同投资的效率。从纯粹的经济角度来看,它是将利润与资本投资联系起来的一种方式。投资回报是企业用来确定投资效率或不同投资数量的绩效指标。
ATT&CK
ATT&CK是Adversarial Tactics, Techniques & Common Knowledge的缩写,由MITRE提供的关于对抗战术,技术以及常识性攻防知识
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected
STRIDE
STRIDE是由微软的提出的典型的威胁建模方法 * S: Spoofing(欺骗) * T: Tampering(篡改) * R: Repudiation(否认) * I: Information Disclosure(信息泄露) * D: Denial of Service(拒绝服务) * E: Elevation of Privilege(提权)
STIX
STIX是A structured language for cyber threat intelligence的缩写,目前最新为2.0标准,主要用于交换分享网络威胁情报。
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).