debugeeker的专栏

Security should be addressed in each phase of system development. It should not be addressed only at the end of development because of the added cost, time, and effort and the lack of functionality. The attack surface is the collection of possible e..

In many cases, our approach to mitigating the risks of acquired software will begin with an assessment of the vendor.A key element in assessing the security of acquired software is, rather obviously, its performance on an internal assessment.剩余内容请关注本人公

Adhering to the usual rules of not opening an e-mail attachment or clicking on a link that comes from an unknown source is one of the best ways to combat malicious code.VirusesAvirusis a small application, or string of code, that infects software. Th..

Database Management SoftwareAdatabaseis a collection of data stored in a meaningful way that enables multiple users and applications to access, view, and modify that data as needed.Adatabase management system (DBMS)is a suite of programs used to ma...

Specific Threats for Web EnvironmentsAdministrative InterfacesUsing a web-based administrative interface is, in most opinions, a bad idea.A bad habit that’s found even in high-security environments is hard-coding authentication credentials into the l

Code that can be transmitted across a network, to be executed by a system or device on the other end, is calledmobile code.Java AppletsJava is an object-oriented, platform-independent programming language. It is employed as a full-fledged programming .

A distributed object computing model needs toregisterthe client and server components, which means to find out here they live on the network, what their names or IDs are, and what type of functionality the different components carry out.Distributed Com..

Machine languageis in a format that the computer’s processor can understand and work with directly.Anassembly languageis considered a low-level programming language and is the symbolic representation of machine-level instructions.Third-generation pr...

Secure codingis the process of developing software that is free from defects, particularly those that could be exploited by an adversary to cause us harm or loss.Source Code VulnerabilitiesTheOpen Web Application Security Project (OWASP)is an organi...

there are three major elements we should stress when it comes to security of development environments: the development platforms, the code repositories, and the software configurations.Security of Development Platformsthe first step in ensuring the sec

Change managementis a systematic approach to deliberately regulating the changing nature of projects, including software development projects.Change ControlChange controlis the process of controlling the specific changes that take place during the li..

Capability Maturity Model Integration (CMMI)is a comprehensive, integrated set of guidelines for developing products and software.CMMI describes procedures, principles, and practices that underlie software development process maturity.The five maturit.

Waterfall MethodologyThe Waterfall methodology uses a linear-sequential life-cycle approach,Each phase must be completed in its entirety before the next phase can begin. At the end of each phase, a review takes place to make sure the project is on the co

There have been several software development life cycle (SDLC) models developed over the years, the crux of each model deals with the following phases: Requirements gathering Design Development Testing Operations and maintenance Pr

Quality can be defined as fitness for purpose.Code reviews and interface testing, are key elements in ensuring software quality.Software controls come in various flavors and have many different goals. They can control input, encryption, logic process..

Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only. Clipping levels should be implemented to establish a baseline of user activity and acceptable errors...

The single most valuable asset for an organization, and the one that involves the highest moral and ethical standards, is its people.Emergency ManagementA common tool for ensuring the safety of personnel during emergencies is the occupant emergency pla

Recovering from a disaster begins way before the event occurs. It starts by anticipating threats and developing goals that support the business’s continuity of operations.A goal must contain certain key information, such as the following: Responsibili

The BCP team should work with management to understand what the current coverage is, the various insurance options, and the limits of each option. The goal here is to make sure the insurance coverage fills in the gap of what the current preventive counterm

In the context of security,due caremeans that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took reasonable steps to ensure that if a security breach did take place, proper controls or co..

Therecovery time objective (RTO)is the maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences associated with a break in business continuity.Thework recove...

When a potential computer crime takes place, it is critical that the investigation steps are carried out properly to ensure that the evidence will be admissible to the court if things go that far and that it can stand up under the cross-examination and scr

There are many incident management models, but all share some basic characteristics. They all require that we identify the event, analyze it to determine the appropriate counteractions, correct the problem(s), and, finally, keep the event from happening ag

The steps of this generalized process are described here: Understand the risk. Use the right controls. Use the controls correctly. Manage your configuration. Assess your operation. Continuous MonitoringNIST Special Publication 80

Another key component of security operations is planning for and dealing with the inevitable failures of the component parts of our information systems.The network needs to be properly maintained to make sure the network and its resources will always be

provisioning is the set of all activities required to provide one or more new information services to a user or group of users.At the heart of provisioning is the imperative to provide these services in a secure manner.Asset Inventorythe most essenti

As any other defensive technique, physical security should be implemented by using a layered approach.It is also important to have a diversity of controls.This defense model should work in two main modes: one mode during normal facility operations and

Administrative management is a very important piece of operational security. One aspect of administrative management is dealing with personnel issues. This includes separation of duties and job rotation. The objective of separation of duties is to ensure t

The continual effort to make sure the correct policies, procedures, standards, and guidelines are in place and being followed is an important piece of the due care and due diligence efforts that companies need to perform.Security operations is all abou.

An audit is a systematic assessment of the security controls of an information system. Setting a clear set of goals is probably the most important step of planning a security audit. Internal audits benefit from the auditors’ familiarity with th..

A management review is a formal meeting of senior organizational leaders to determine whether the management systems are effectively accomplishing their goals.While management reviews have been around for a very long time, the modern use of the term is p

Analyzing ResultsOnly after analyzing the results can you provide insights and recommendations that will be valuable to senior decision-makers.First you gather all your data, organize it, and study it carefully.The second step in your analysis is to

Account ManagementA preferred technique of attackers is to become “normal” privileged users of the systems they compromise as soon as possible. They can accomplish this in at least three ways: compromise an existing privileged account, create a new privi

Atechnical controlis a security control implemented through the use of an IT asset.Vulnerability TestingVulnerability testing requires staff and/or consultants with a deep security background and the highest level of trustworthiness.The goals of th..

Atestis a procedure that records some set of properties or behaviors in a system being tested and compares them against predetermined standards.Anassessmentis a series of planned tests that are somehow related to each other.Anauditis a systematic...

Access is a flow of information between a subject and an object. A subject is an active entity that requests access to an object, which is a passive entity. A subject can be a user, program, or process. Some security mechanisms that provid..

Dictionary AttackCrack program hashes the dictionary words and compares the resulting message digest with the system password file that also stores its passwords in a one-way hashed format. If the hashed values match, it means a password has just been un

Intrusion Detection SystemsIntrusion detection systems (IDSs)are different from traditional firewall products because they are designed to detect a security breach. Intrusion detection is the process of detecting an unauthorized use of, or attack upon,..

The following is a list of tasks that must be done on a regular basis to ensure security stays at a satisfactory level: Deny access to systems to undefined users or anonymous accounts. Limit and monitor the usage of administrator and other powerful

Access Control LayersAdministrative controls: Policy and procedures Personnel controls Supervisory structure Security-awareness training Testing Physical controls: Network segregation Perimeter security Computer cont