Coggle requires JavaScript to display documents.
Authentication and Integrity
closed, the data in program can be object
Messages would then look like 244.2.13, 12.3.7, 41.42.1. ... The person reviewing the message would look at page 244, sentence 2, word 13, then page 12, sentence 3, word 7, page 41, sentence 42 word 1, ...
agreed upon phrase
ciphertext; it should be as random (confusing) as possible.
(dispersed) in the ciphertext.
ICE, KASUMI, LOKI97, Lucifer, MARS, MAGENTA, MISTY1, RC5, TEA, Triple DES, Twofish, XTEA, ...
CBC-MAC, for instance, uses Cipher Block Chaining from a symmetric encryption (like DES). Provides integrity and authenticity.
The sender uses XOR to combine the plaintext with a shared key, then hashes the output using a hashing algorithm (Could be HMAC-MD5 or HMAC-SHA-1). That hash is then combined with the key again, creating an HMAC. The receiver does the same and compares their HMAC with the sender’s HMAC If the two HMACs are identical, the sender is authenticated.
dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processe
consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
processes established and subject to some degree of improvement over time. These standard processes are in place. The processes may not have been systematically or repeatedly utilized enough for the users to become competent or the process to be validated in a range of situations.
the process objectives can be evidenced across a range of operational conditions. The suitability of the process in multiple environments has been tested and the process refined and adapted. Process users have experienced the process in multiple and varied conditions, and are able to demonstrate competence.
Addressing statistical common causes of process variation and changing the process to improve process performance.
tested by the users and application managers.
ready requirements for operation. Tested by system administrators are the backups in place, do we have a DR plan, how do we handle patching, is it checked for vulnerabilities, ...?
what/where/how of the acceptance is defined in the contract.
or systems? Does the software perform as expected in our production environment vs. the development environment?
custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed. Many organizations deal with C-level executives going to conferences and buying software that the organization may not want or need Software development and procurement as well as any other project should be carefully scoped, planned be based on a clear analysis of what the business needs and wants.
Biometrics) (Fingerprint, iris scan, facial geometry etc.).
Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.
Can also be referred to as policy-based access control (PBAC) or claims-based access control (CBAC)
as location, time, sequence of responses, access history. Providing the username and password combination followed by a challenge and response mechanism such as CAPTCHA, filtering the access based on MAC addresses on wireless, or a firewall filtering the data based on packet
known as a content-dependent access control. In this type of control, the value and attributes of the content that is being accessed determine the control requirements. Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent.
between two entities. They authenticate to the connecting entity (often a server) as well as authenticate itself (often a server or desktop) by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication between network
requirements for a class of security devices. Products can comply with more than one PP. Customers looking for particular types of products can focus on those products certified against the PP that meet their requirements.
properties of the target of evaluation. The ST may have one or more PPs.
score on the testing?
have a very broad scope. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability asses
organization’s system and the suitability of the design and operating effectiveness of controls.
audit adds credibility. Can also be a knowledge transfer for the organization, required annually in many organizations.
before an external audit.
that access control mechanisms are working as intended. Reviewing audit logs is primarily a detective control.
A requirements traceability matrix may be used to check if the current project requirements are being met, and to help in the creation of a request for proposal, software requirements specification, various deliverable documents, and project plan tasks.
product, service or system as part of a quality management system.
cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre- compiled random or specific values.
in which test cases are designed to execute all possible discrete combinations of each pair of input parameters.
what normal users would, we need to test misuse to ensure our application or software is safe.
entire application. To ensure there are no significant gaps where a lack of testing could allow for bugs or security issues to be present that otherwise should have been discovered. With 50+ millions line of code in a Windows OS, often spot checks on critical areas are only enforced