Book Read Free

Sharks in the Moat

Page 62

by Phil Martin


  hybrid microkernel architecture, 252

  hybrid model, 274

  hybrid rbac, 258

  hypervisor, 271

  i/o device, 156

  IaaS, 274, 276

  IATF, 317

  IDaaS, 275

  identity, 36

  identity as a service, 275

  identity management, 287

  IDM, 287

  IDS, 28, 125, 352

  ignorant user, 230

  ILM, 243, 320

  image, 272

  immediate containment, 133

  imperative security, 217

  impersonation, 155, 258

  inappropriate usage, 129

  incident management, 127

  incident response plan, 130, 326

  incident response team, 129

  incineration, 145

  independent verification and validation, 329

  inference attack, 149, 246

  informal reviews, 328

  information as a service, 276

  information assurance technical framework, 317

  information lifecycle management, 243, 320

  infrastructure as a service, 274

  initial program load, 115

  injection flaw, 182

  input validation, 70

  insecure direct object reference, 195

  insider, 230

  insider threat, 375

  instruction, 157

  instruction set, 251

  integrated authentication, 78

  integration platform as a service, 276

  integration testing, 299

  integrity, 25, 70, 371

  intellectual property, 347, 373

  intelligent fuzzing, 347

  internet of things, 121

  internet security association and key management protocol, 271

  interoperability testing, 297, 301

  interpreted language, 160

  interrupt, 251

  in-transit, 62

  intrusion detection system, 28, 125, 352

  intrusion prevention system, 29, 354

  in-use, 62

  invisible watermarking, 61

  IoT, 121

  IP, 347, 373

  ip security, 271

  IPaaS, 276

  IPL, 115

  IPS, 29, 354

  IPSec, 271

  IRP, 130, 326

  IRT, 129

  ISAKMP, 271

  iso 15408 common criteria, 121

  IV&V, 329

  jailbreaking, 285

  java runtime environment, 165

  java virtual machine, 162, 165

  javascript object notation, 267

  jit compiler, 165

  JRE, 165

  JSON, 267

  just-in-time compiler, 165

  JVM, 162, 165

  kernel mode, 251

  key, 64

  key length, 64

  key performance indicator, 384

  key risk indicator, 126

  known error, 135

  KPI, 384

  KRI, 126

  label, 241

  laboratory attack, 145

  layered defense, 89

  layered operating system, 252

  LDAP, 184, 288

  least common mechanism, 34, 96

  least privilege, 36, 87

  leveraging existing components, 42, 99

  lifo principle, 159

  lights out management, 264

  lightweight directory access protocol, 184, 288

  limited hierarchies, 257

  limited rbac, 258

  linker, 160

  linking, 160

  literalization, 187

  load balancing, 41

  load testing, 300

  locality of reference, 219

  logging, 28

  logic bomb, 227

  logic testing, 298

  LOM, 264

  longevity testing, 300

  low memory, 157

  low-interaction honeypot, 354

  MAC, 256

  machine cycle, 158

  machine language, 159

  malicious code, 128

  managed services, 371

  mandatory access control, 256

  man-in-the-middle, 284

  man-in-the-mobile, 285

  masking, 61

  master-slave, 76

  maximum tolerable downtime, 72, 362

  maximum tolerable outage, 72, 362

  MDM, 120

  melting, 145

  memory leak, 220

  merge, 293

  message passing channel, 101

  metadirectory, 288

  microarchitecture, 251

  microsoft installer, 113

  middleware, 291

  military-off-the-shelf, 352

  MILS, 121

  minimum security baseline, 114

  minimum-security baseline, 124

  MITM, 284

  MITMo, 285

  MLS, 256

  mobile code, 226

  mobile device management, 120

  mobile device privacy act, 245

  mode transitions, 252

  model, 260

  modifiable-off-the-shelf, 352

  monolithic architecture, 252

  MOTS, 352

  MSB, 114, 124

  MSI, 113

  MTD, 72, 362

  MTO, 72, 362

  multifactor authentication, 80

  multilevel security policies, 255

  multilevel security system, 256, 260

  multiple component incident, 129

  multiple independent levels of security, 121

  multi-tenant, 369

  mutation-based fuzzing, 347

  named users, 351

  narrowing conversion, 163

  national computer security center, 125

  national institute of standards and technology, 334

  national vulnerability database, 170

  native mobile app, 281

  natural language, 160

  NCSC, 125

  NDA, 349

  NDAC, 256

  near-shoring, 370

  network interface card, 197

  network scanner, 316

  network-based ids, 353

  neural network ids, 354

  NIC, 197

  NIDS, 353

  NIST, 334

  NIST SP 800-115, 345

  NIST SP 800-92, 305

  nonce, 194

  non-disclosure agreement, 349

  nondiscretionary access control, 256

  noninterference, 261

  non-rbac, 258

  non-repudiation, 33, 68, 85

  normal form, 151

  normalization, 151

  nt challenge/response authentication, 78

  ntlm authentication, 78

  number generator, 168

  NVD, 170

  obfuscation, 225

  object, 255

  object code,, 160

  OCTAVE, 249

  ODRL, 368

  OEM, 352

  off-shoring, 370

  omission, 246

  one-time pad, 167

  one-time password, 79

  opcode, 157

  open design, 24, 94

  open digital rights language, 368

  open redirect, 196

  open source, 351

  open source security testing methodology manual, 250, 345

  open source vulnerability database, 171

  open web application security project, 102

  operand, 157

  operational readiness review, 392

  operationally critical threat asset and vulnerability evaluation, 249

  organized cybercriminals, 231

  original equipment manufacturer, 352

  ORR, 392

  os fingerprinting, 342

  OSSTMM, 250, 345

  OTP, 79

  outsourcing, 370

  override security action, 217

  overt secret writing, 61 />
  overt writing, 61

  overwriting, 246

  OWASP, 102

  owasp top 10 list, 171

  PaaS, 274

  packager, 113

  packer, 113

  pairwise trust model, 267

  parametric polymorphism, 221

  parity bit checking, 70

  passive fingerprinting, 342

  passive sniffer, 197

  passive synthetic transaction, 308

  patent, 348

  path traversal attack, 201

  PBKDF2, 147

  peer review, 227, 328

  pen testing, 345

  penetration testing, 345

  per cpu, 351

  per seat, 351

  per workstation, 351

  performance testing, 300

  persistent protection, 377

  personal financial information, 244

  personal health information, 244

  personal information protection and electronics document act, 245

  personally identifiable information, 244

  perturbation, 246

  pervasive communication, 119

  pervasive computation, 119

  pervasive computing, 119

  PFI, 244

  pharming, 145

  PHI, 244

  phishing, 145

  PII, 244

  PIPEDA, 245

  PKI, 270

  plan of action and milestones, 346

  platform as a service, 274

  PMO, 358

  POA&M, 346

  pointer, 219

  polyinstantiation, 149

  polymorphic malware, 316

  POST, 115, 206

  power analysis attack, 205

  power-on self-test, 115, 206

  predicate, 299

  pre-qualification assessment, 382

  preventative control, 49, 104

  primary domain, 290

  primary key, 152

  primary-secondary, 76

  primitive data types, 162

  principle of locality, 219

  principle of unnecessary complexity, 91

  PRISM, 368

  privacy scanning, 344

  privacy testing, 297, 302

  privacy-aware rbac, 258

  private cloud, 273

  problem management, 135

  program management office, 358

  program text, 158

  promiscuous mode, 197

  protocol, 101

  proxy server, 37

  proxy trust model, 267

  pseudo-insider threat, 375

  pseudorandom numbers, 168

  psychological acceptability, 40

  psychological acceptance, 97

  public cloud, 273

  public data, 61

  public key infrastructure, 270

  publishing requirements for industry standard metadata, 368

  pulverization, 145

  purging, 144

  QFE, 138

  QSA, 333

  qualified security assessor, 333

  quality assurance, 296

  quick fix engineering, 138

  RA, 67, 269

  race condition, 210

  radiation monitoring attack, 205

  rainbow table, 167

  RAM, 156

  random-access memory, 156

  randomization, 246

  ransom model, 391

  ransomware, 48

  rapid problem resolution, 136

  RASQ, 100

  RBAC, 257

  read-write data, 158

  reconnaissance, 345

  recoverability testing, 296

  recovery control, 50

  recovery point objective, 72, 362

  recovery time objective, 72, 362

  recursive fuzzing, 346

  red hat package manager, 113

  reference monitor, 255

  referred url, 216

  regenerative bug, 294

  RegEx, 186

  register, 156

  registration authority, 67, 269

  regression testing, 299

  regular expression, 186

  REL, 368

  relative attack surface quotient, 100

  release management, 359

  reliability testing, 296, 298

  reliable, 298

  remote file include, 201

  replacement, 246

  replacement fuzzing, 347

  replay attack, 197

  replication, 76

  representational state transfer, 267

  request for information, 385

  request for proposal, 385

  request for quote, 385

  request security action, 217

  requirements traceability matrix, 91, 322

  requirements-based, 383

  requirements-dependent, 383

  reserved check-out, 293

  resiliency attestation, 345

  resiliency testing, 296

  resilient software, 70

  resource locking, 71

  responsive web design, 281

  REST, 267

  reverse engineering, 226

  reversible code, 226

  reversing, 226

  RFI, 201, 385

  RFP, 385

  RFQ, 385

  RIA, 280

  rich internet application, 280

  rich internet mobile app, 281

  rights expression language, 368

  rings, 251

  role-based access control, 257

  root cause, 209

  root vector, 100

  RPM, 113

  RPO, 72, 362

  RPR, 136

  RTM, 91, 322

  RTO, 72, 362

  rule-based access control, 257

  runtime, 217

  S/MIME, 271

  SA, 271

  SaaS, 274, 369

  SAFE, 391

  salt, 167

  same origin policy, 280

  SAML, 79, 290

  sanitization, 143

  sanitizing, 187

  sarbanes-oxley act, 244

  SCADA, 122

  scalability, 76

  scalability testing, 301

  scanner, 291

  SCAP, 170, 392

  SCM, 369

  SCMP, 360

  script kiddie, 45, 230

  SCRM, 376

  scrypt, 147

  SDO, 72, 362

  se linux, 256

  secaas, 275

  second normal form, 152

  secondary domains, 290

  secret keys, 270

  secret writing, 61

  secure by default, 392

  secure by deployment, 392

  secure class library, 218

  secure configuration, 392

  secure multipurpose internet mail extensions, 271

  secure quality requirements engineering, 322

  secure shell, 271

  secure startup, 115

  security as a service, 275

  security assertion markup language, 290

  security assertions markup language, 79

  security association, 271

  security content automation protocol, 170, 392

  security incident, 128

  security kernel, 255

  security label, 256

  security models, 259

  security perimeter, 255

  security policy, 254

  security support provider interface, 286

  security test audit report, 250

  security testing, 340

  security through obscurity, 24

  semantic, 296

  sensitivity, 60, 242

  sensitivity labels, 256

  sensor network, 120

  separation of duties, 37, 88

  service delivery objective, 72, 362

  service level agreement, 74

  service pack, 138

  service-oriented architecture, 265

  session, 176, 257

  session f
ixation, 179

  session hijacking, 177, 197

  shared memory channel, 101

  shareware, 351

  short message service, 146

  shoulder surfing attack, 206

  shredding, 145

  shrink-wrapped, 306

  shrouded code, 226

  side channel, 283

  side channel attack, 122, 205

  sideloading, 285

  signature-based ids, 353

  simple object access protocol, 267

  simulation testing, 302

  single loss expectancy, 72, 361

  single point of failure, 76

  single responsibility, 33

  single responsibility principle, 168

  single-sign-on, 290

  six sigma, 248

  SLA, 74

  SLE, 72, 361

  slow death, 220

  smart card-based authentication, 79

  smart fuzzing, 347

  smishing, 146

  SMS, 146

  smsishing, 146

  SOA, 265

  SOAP, 267

  software as a service, 274, 369

  software assurance, 293

  software configuration management plan, 360

  software licensing agreement, 351

  software provenance, 370

  software supply chain, 369

  software-based guards, 256

  SOP, 280

  SoS, 392

  source code, 160

  source code analyzer, 291

  source code analyzers, 315

  SOX, 244

  spatial locality, 219

  spear phishing, 145

  Spoof, 76

  spoofback, 146

  spoofing, 305

  square, 322

  SSD, 257

  SSH, 271

  SSO, 290

  SSPI, 286

  stack, 158

  stack overflow, 212

  stackguard, 166

  STAR, 250

  state bill 1386, 245

  statement on standards for attestation engagements no. 16, 279

  static analysis, 357

  static binary code scanner, 315

  static byte code scanner, 315

  static code analysis, 291

  static linking, 160

  static separation of duty, 257

  statistical-based ids, 353

  steganography, 61

  stored procedure, 153

  stress testing, 300

  stripping, 187

  strongly typed, 220

  structured data, 59

  stub, 170

  subject, 255

  subject/object matrix, 321

  substitution, 187, 246

  sun-setting, 142

  supervisory control and data acquisition, 122

  supplier, 369

  supply chain attack, 375

  supply chain management, 369

  supply chain risk management, 376

  suppression, 246

  surf jacking, 197

  switchover, 76

  sybil attack, 120

  symbolic information, 226

  symmetric scheme, 66

  syntactic, 296

  syntax, 160

  synthetic transactions, 308

  syslog, 367

  system memory, 156

  system-of-systems, 392

  TAC, 143

  taint check, 202

  takedown, 146

  targets, 100

  TCB, 254

  TCO, 383

  TDE, 150

  tempest attack, 205

  temporal locality, 219

  tenant, 369

  termination access control, 143

  test case, 297

 

‹ Prev