Sharks in the Moat
Page 62
hybrid microkernel architecture, 252
hybrid model, 274
hybrid rbac, 258
hypervisor, 271
i/o device, 156
IaaS, 274, 276
IATF, 317
IDaaS, 275
identity, 36
identity as a service, 275
identity management, 287
IDM, 287
IDS, 28, 125, 352
ignorant user, 230
ILM, 243, 320
image, 272
immediate containment, 133
imperative security, 217
impersonation, 155, 258
inappropriate usage, 129
incident management, 127
incident response plan, 130, 326
incident response team, 129
incineration, 145
independent verification and validation, 329
inference attack, 149, 246
informal reviews, 328
information as a service, 276
information assurance technical framework, 317
information lifecycle management, 243, 320
infrastructure as a service, 274
initial program load, 115
injection flaw, 182
input validation, 70
insecure direct object reference, 195
insider, 230
insider threat, 375
instruction, 157
instruction set, 251
integrated authentication, 78
integration platform as a service, 276
integration testing, 299
integrity, 25, 70, 371
intellectual property, 347, 373
intelligent fuzzing, 347
internet of things, 121
internet security association and key management protocol, 271
interoperability testing, 297, 301
interpreted language, 160
interrupt, 251
in-transit, 62
intrusion detection system, 28, 125, 352
intrusion prevention system, 29, 354
in-use, 62
invisible watermarking, 61
IoT, 121
IP, 347, 373
ip security, 271
IPaaS, 276
IPL, 115
IPS, 29, 354
IPSec, 271
IRP, 130, 326
IRT, 129
ISAKMP, 271
iso 15408 common criteria, 121
IV&V, 329
jailbreaking, 285
java runtime environment, 165
java virtual machine, 162, 165
javascript object notation, 267
jit compiler, 165
JRE, 165
JSON, 267
just-in-time compiler, 165
JVM, 162, 165
kernel mode, 251
key, 64
key length, 64
key performance indicator, 384
key risk indicator, 126
known error, 135
KPI, 384
KRI, 126
label, 241
laboratory attack, 145
layered defense, 89
layered operating system, 252
LDAP, 184, 288
least common mechanism, 34, 96
least privilege, 36, 87
leveraging existing components, 42, 99
lifo principle, 159
lights out management, 264
lightweight directory access protocol, 184, 288
limited hierarchies, 257
limited rbac, 258
linker, 160
linking, 160
literalization, 187
load balancing, 41
load testing, 300
locality of reference, 219
logging, 28
logic bomb, 227
logic testing, 298
LOM, 264
longevity testing, 300
low memory, 157
low-interaction honeypot, 354
MAC, 256
machine cycle, 158
machine language, 159
malicious code, 128
managed services, 371
mandatory access control, 256
man-in-the-middle, 284
man-in-the-mobile, 285
masking, 61
master-slave, 76
maximum tolerable downtime, 72, 362
maximum tolerable outage, 72, 362
MDM, 120
melting, 145
memory leak, 220
merge, 293
message passing channel, 101
metadirectory, 288
microarchitecture, 251
microsoft installer, 113
middleware, 291
military-off-the-shelf, 352
MILS, 121
minimum security baseline, 114
minimum-security baseline, 124
MITM, 284
MITMo, 285
MLS, 256
mobile code, 226
mobile device management, 120
mobile device privacy act, 245
mode transitions, 252
model, 260
modifiable-off-the-shelf, 352
monolithic architecture, 252
MOTS, 352
MSB, 114, 124
MSI, 113
MTD, 72, 362
MTO, 72, 362
multifactor authentication, 80
multilevel security policies, 255
multilevel security system, 256, 260
multiple component incident, 129
multiple independent levels of security, 121
multi-tenant, 369
mutation-based fuzzing, 347
named users, 351
narrowing conversion, 163
national computer security center, 125
national institute of standards and technology, 334
national vulnerability database, 170
native mobile app, 281
natural language, 160
NCSC, 125
NDA, 349
NDAC, 256
near-shoring, 370
network interface card, 197
network scanner, 316
network-based ids, 353
neural network ids, 354
NIC, 197
NIDS, 353
NIST, 334
NIST SP 800-115, 345
NIST SP 800-92, 305
nonce, 194
non-disclosure agreement, 349
nondiscretionary access control, 256
noninterference, 261
non-rbac, 258
non-repudiation, 33, 68, 85
normal form, 151
normalization, 151
nt challenge/response authentication, 78
ntlm authentication, 78
number generator, 168
NVD, 170
obfuscation, 225
object, 255
object code,, 160
OCTAVE, 249
ODRL, 368
OEM, 352
off-shoring, 370
omission, 246
one-time pad, 167
one-time password, 79
opcode, 157
open design, 24, 94
open digital rights language, 368
open redirect, 196
open source, 351
open source security testing methodology manual, 250, 345
open source vulnerability database, 171
open web application security project, 102
operand, 157
operational readiness review, 392
operationally critical threat asset and vulnerability evaluation, 249
organized cybercriminals, 231
original equipment manufacturer, 352
ORR, 392
os fingerprinting, 342
OSSTMM, 250, 345
OTP, 79
outsourcing, 370
override security action, 217
overt secret writing, 61
/>
overt writing, 61
overwriting, 246
OWASP, 102
owasp top 10 list, 171
PaaS, 274
packager, 113
packer, 113
pairwise trust model, 267
parametric polymorphism, 221
parity bit checking, 70
passive fingerprinting, 342
passive sniffer, 197
passive synthetic transaction, 308
patent, 348
path traversal attack, 201
PBKDF2, 147
peer review, 227, 328
pen testing, 345
penetration testing, 345
per cpu, 351
per seat, 351
per workstation, 351
performance testing, 300
persistent protection, 377
personal financial information, 244
personal health information, 244
personal information protection and electronics document act, 245
personally identifiable information, 244
perturbation, 246
pervasive communication, 119
pervasive computation, 119
pervasive computing, 119
PFI, 244
pharming, 145
PHI, 244
phishing, 145
PII, 244
PIPEDA, 245
PKI, 270
plan of action and milestones, 346
platform as a service, 274
PMO, 358
POA&M, 346
pointer, 219
polyinstantiation, 149
polymorphic malware, 316
POST, 115, 206
power analysis attack, 205
power-on self-test, 115, 206
predicate, 299
pre-qualification assessment, 382
preventative control, 49, 104
primary domain, 290
primary key, 152
primary-secondary, 76
primitive data types, 162
principle of locality, 219
principle of unnecessary complexity, 91
PRISM, 368
privacy scanning, 344
privacy testing, 297, 302
privacy-aware rbac, 258
private cloud, 273
problem management, 135
program management office, 358
program text, 158
promiscuous mode, 197
protocol, 101
proxy server, 37
proxy trust model, 267
pseudo-insider threat, 375
pseudorandom numbers, 168
psychological acceptability, 40
psychological acceptance, 97
public cloud, 273
public data, 61
public key infrastructure, 270
publishing requirements for industry standard metadata, 368
pulverization, 145
purging, 144
QFE, 138
QSA, 333
qualified security assessor, 333
quality assurance, 296
quick fix engineering, 138
RA, 67, 269
race condition, 210
radiation monitoring attack, 205
rainbow table, 167
RAM, 156
random-access memory, 156
randomization, 246
ransom model, 391
ransomware, 48
rapid problem resolution, 136
RASQ, 100
RBAC, 257
read-write data, 158
reconnaissance, 345
recoverability testing, 296
recovery control, 50
recovery point objective, 72, 362
recovery time objective, 72, 362
recursive fuzzing, 346
red hat package manager, 113
reference monitor, 255
referred url, 216
regenerative bug, 294
RegEx, 186
register, 156
registration authority, 67, 269
regression testing, 299
regular expression, 186
REL, 368
relative attack surface quotient, 100
release management, 359
reliability testing, 296, 298
reliable, 298
remote file include, 201
replacement, 246
replacement fuzzing, 347
replay attack, 197
replication, 76
representational state transfer, 267
request for information, 385
request for proposal, 385
request for quote, 385
request security action, 217
requirements traceability matrix, 91, 322
requirements-based, 383
requirements-dependent, 383
reserved check-out, 293
resiliency attestation, 345
resiliency testing, 296
resilient software, 70
resource locking, 71
responsive web design, 281
REST, 267
reverse engineering, 226
reversible code, 226
reversing, 226
RFI, 201, 385
RFP, 385
RFQ, 385
RIA, 280
rich internet application, 280
rich internet mobile app, 281
rights expression language, 368
rings, 251
role-based access control, 257
root cause, 209
root vector, 100
RPM, 113
RPO, 72, 362
RPR, 136
RTM, 91, 322
RTO, 72, 362
rule-based access control, 257
runtime, 217
S/MIME, 271
SA, 271
SaaS, 274, 369
SAFE, 391
salt, 167
same origin policy, 280
SAML, 79, 290
sanitization, 143
sanitizing, 187
sarbanes-oxley act, 244
SCADA, 122
scalability, 76
scalability testing, 301
scanner, 291
SCAP, 170, 392
SCM, 369
SCMP, 360
script kiddie, 45, 230
SCRM, 376
scrypt, 147
SDO, 72, 362
se linux, 256
secaas, 275
second normal form, 152
secondary domains, 290
secret keys, 270
secret writing, 61
secure by default, 392
secure by deployment, 392
secure class library, 218
secure configuration, 392
secure multipurpose internet mail extensions, 271
secure quality requirements engineering, 322
secure shell, 271
secure startup, 115
security as a service, 275
security assertion markup language, 290
security assertions markup language, 79
security association, 271
security content automation protocol, 170, 392
security incident, 128
security kernel, 255
security label, 256
security models, 259
security perimeter, 255
security policy, 254
security support provider interface, 286
security test audit report, 250
security testing, 340
security through obscurity, 24
semantic, 296
sensitivity, 60, 242
sensitivity labels, 256
sensor network, 120
separation of duties, 37, 88
service delivery objective, 72, 362
service level agreement, 74
service pack, 138
service-oriented architecture, 265
session, 176, 257
session f
ixation, 179
session hijacking, 177, 197
shared memory channel, 101
shareware, 351
short message service, 146
shoulder surfing attack, 206
shredding, 145
shrink-wrapped, 306
shrouded code, 226
side channel, 283
side channel attack, 122, 205
sideloading, 285
signature-based ids, 353
simple object access protocol, 267
simulation testing, 302
single loss expectancy, 72, 361
single point of failure, 76
single responsibility, 33
single responsibility principle, 168
single-sign-on, 290
six sigma, 248
SLA, 74
SLE, 72, 361
slow death, 220
smart card-based authentication, 79
smart fuzzing, 347
smishing, 146
SMS, 146
smsishing, 146
SOA, 265
SOAP, 267
software as a service, 274, 369
software assurance, 293
software configuration management plan, 360
software licensing agreement, 351
software provenance, 370
software supply chain, 369
software-based guards, 256
SOP, 280
SoS, 392
source code, 160
source code analyzer, 291
source code analyzers, 315
SOX, 244
spatial locality, 219
spear phishing, 145
Spoof, 76
spoofback, 146
spoofing, 305
square, 322
SSD, 257
SSH, 271
SSO, 290
SSPI, 286
stack, 158
stack overflow, 212
stackguard, 166
STAR, 250
state bill 1386, 245
statement on standards for attestation engagements no. 16, 279
static analysis, 357
static binary code scanner, 315
static byte code scanner, 315
static code analysis, 291
static linking, 160
static separation of duty, 257
statistical-based ids, 353
steganography, 61
stored procedure, 153
stress testing, 300
stripping, 187
strongly typed, 220
structured data, 59
stub, 170
subject, 255
subject/object matrix, 321
substitution, 187, 246
sun-setting, 142
supervisory control and data acquisition, 122
supplier, 369
supply chain attack, 375
supply chain management, 369
supply chain risk management, 376
suppression, 246
surf jacking, 197
switchover, 76
sybil attack, 120
symbolic information, 226
symmetric scheme, 66
syntactic, 296
syntax, 160
synthetic transactions, 308
syslog, 367
system memory, 156
system-of-systems, 392
TAC, 143
taint check, 202
takedown, 146
targets, 100
TCB, 254
TCO, 383
TDE, 150
tempest attack, 205
temporal locality, 219
tenant, 369
termination access control, 143
test case, 297