INDEX
A
abuse cases
adversaries
XP
acceptance
modifications
risk
access control
for integrity
models
in Safe Harbor principles
access control lists (ACLs)
access control matrix model
accounting
auditing
design for
ACLs (access control lists)
acquisition of software components
actions in requirements
activities in requirements
actors in use cases
Address Space Layout Randomization (ASLR)
advanced persistent threat (APT) attacks
adversaries
groups
inside and outside
types
advice for end users from suppliers
agile methods
ALE (annualized loss expectancy)
algorithms
cryptographic
digital certificates
allocation, memory
alpha testing
alteration of data
always-on computing
American National Standards Institute (ANSI)
American Recovery and Reinvestment Act (ARRA)
Analyze step in SEI model
Anderson, Ross
annualized loss expectancy (ALE)
annualized rate of occurrence (ARO)
ANSI (American National Standards Institute)
anti-XSS libraries
antitampering techniques
APIs (application programming interfaces)
app stores
application firewalls
application programming
application programming interfaces (APIs)
APT (advanced persistent threat) attacks
architecture
cloud
distributed computing
integration
mobile applications
pervasive/ubiquitous computing
rich Internet applications
service-oriented architecture
archiving
in maintenance
repositories
Ariane V booster
arithmetic overflows
ARO (annualized rate of occurrence)
ARRA (American Recovery and Reinvestment Act)
ASLR (Address Space Layout Randomization)
assets
defined
general risk management model
assurance models
assurance process
quality testing
SCM
attack surfaces
analyzers
evaluation
minimizing
validation
attack tree models
attacks, defined
audit-based behaviors, integrity controls for
audits
design for
overview
post-release activities
authentication
description
design for
identification
overview
authenticity of software
authorization
configuration management
description
design for
automated password resets
automated tools
IDE
static code analysis
automatic update services
availability
description
design for
overview
awareness in software teams
B
backlogs
backtracking attacks
backups
in maintenance
vulnerabilities
baseline management ledger (BML)
baselines
configuration management
repositories
basic input output system (BIOS)
behavioral anomalies
Bell-LaPadula model
Berne Convention
beta testing
Biba integrity model
biometrics
BIOS (basic input output system)
black box COTS products
black-box testing
description
pre-release
BML (baseline management ledger)
Boehm, Barry
bootstrapping
description
in installation and deployment
breach notifications
Brewer Nash model
broken cryptographic algorithms
BSI (Build Security In)
buffer overflows
bug bars
bugs
impact assessment and corrective action
tracking
build environment
Build Security In (BSI)
build vs. buy decisions
bulk e-mail, phishing
business continuity
business risk
by default elements in Microsoft SDL
by design elements in Microsoft SDL
C
C language
buffer overflow
coding standards
programming failures
C# language, integer overflow in
C++ language
coding standards
programming failures
Candidate Information Bulletin (CIB)
canonicalization errors
Capability Maturity Model Integration (CMMI)
CAs (certificate authorities)
categorization overview
CCBs (configuration control boards)
ccREL scheme
CDI (constrained data items)
CERT/CC (Computer Emergency Response Team Coordination Center)
certainty of risk
certificate authorities (CAs)
Certificate Revocation Lists (CRLs)
Certificate usage field
certificates
chain of custody
change
in configuration management
implementation
maintenance process for
managing
and operation
change requests
character code sets
character encoding
Chinese Wall model
choice element in Safe Harbor principles
Clark-Wilson security model
classification of data
client server architectures
client-side exploits
cloud architectures
CLR (common language runtime)
CMDB (configuration management database)
CMMI (Capability Maturity Model Integration)
CMS (configuration management system)
COBIT (Control Objectives for Information and Related Technology)
code and coding
analysis
antitampering techniques
build environment
code analysis
code/peer review
configuration management
defensive practices
downloading without integrity checks
interface
reuse
reviews
secure standards
signing
testing
walkthroughs
Code Red event
command injection attacks
commercial off the shelf (COTS) software
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Committee on National Security Systems
Common Body of Knowledge to Produce, Sustain, and Acquire Secure Software
Common Criteria
common language runtime (CLR)
Common Vulnerabilities and Exposures (CVE)
Common Weakness Enumeration (CWE)
communication elements in Microsoft SDL
community clouds
compensating controls
compilers
flag options
switches
complete mediation
completion criteria
compliance
logging for
overview
risk management
in supplier risk assessment
Computer Emergency Response Team Coordination Center (CERT/CC)
Computer Software Rental Amendments Act
concurrency
confidentiality
description
design for
overview
configuration control boards (CCBs)
configuration management
control
deployment and sustainment controls
evaluation
identification
organizing
overview
parameters
plans
process
release management
roles
source code and versioning
status accounting
configuration management database (CMDB)
configuration management system (CMS)
constant connectivity
constrained data items (CDI)
contract management
contractual integrity controls
contractual terms
Control Objectives for Information and Related Technology (COBIT)
Control step in SEI model
control systems
controlled repositories
controls
configuration
contractual integrity
in general risk management model
identification and prioritization
operational
risk
for testing
verification
coordination in incident management
Copyright Law
copyrights
corrective action
corrective controls
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
COTS (commercial off the shelf) software
coverage analyzers
credentials
hard-coded
managing
criteria
code testing
completion
criticality of problems
CRLs (Certificate Revocation Lists)
cross-platform/system integration
cross-site request forgery (CSRF)
cross-site scripting (XSS)
cryptography. See encryption
CSRF (cross-site request forgery)
custodians, data
customer-facing privacy policies
customer support
in installation and deployment
in operations
customers
communication with
in configuration management
CVE (Common Vulnerabilities and Exposures)
CWE (Common Weakness Enumeration)
CWE/SANS top 25 vulnerability categories
D
DAC (discretionary access control)
daemons
damage potential from bugs
data
anonymized
classification
lifecycle
ownership
protection principles
test data management
types
data collection in risk acceptance
Data Encryption Standard (DES)
data flow diagrams (DFDs)
data integrity element in Safe Harbor principles
data loss prevention (DLP) technologies
data remanence attacks
data risk impact
databases
defect
security for
day one baselines
declarative security
decomposition, system
default elements in Microsoft SDL
defect databases
defense functions, missing
defense in depth
defensive coding practices
declarative vs. programmatic security
error handling
memory management
primary mitigations
deployment controls
deployment elements in Microsoft SDL
deployment environment
DES (Data Encryption Standard)
design considerations
authentication, authorization, and accounting
CIA methods
interconnectivity
interfaces
principles
design phase in Microsoft SDL
design processes
architecture technical review
attack surface evaluation
control identification and prioritization
documentation
risk assessment
secure development lifecycle
threat modeling
detective controls
DFDs (data flow diagrams)
digital certificates
digital rights management (DRM)
digital signatures
directory climbing attacks
directory traversal attacks
Disaster Recovery/Business Continuity Planning (DR/BCP) requirements
disasters, natural
disciplined patching processes
disclosure statements for privacy
discretionary access control (DAC)
disposal
data
software
dissemination controls
distributed computing
diversity defense
DLP (data loss prevention) technologies
document object model (DOM-based) XSS attacks
documentation
Domain Name Service (DNS) servers
dot-dot-slash attacks
downloading code without integrity checks
DR/BCP (Disaster Recovery/Business Continuity Planning) requirements
DREAD method
DRM (digital rights management)
dumb fuzz testing
dynamic code analysis
dynamic libraries
dynamic linking
dynamic repositories
E
economy of mechanism
education for software teams
efficiency as completion criteria
Electronic Product Code (EPC) tags
electronic support
elite hacker group
email phishing
embedded systems
encoding, character
encryption
broken and risky algorithms
cryptographic agility
cryptographic failures
database security
sensitive data
software transfer
validation
end users
advice and support
communication with
in design
enforcement elements
in installation and deployment
Safe Harbor principles
enterprise service bus (ESB)
environment
deployment
IDE
quality assurance testing
EPC (Electronic Product Code) tags
EPROM (erasable programmable read-only memory)
errors
canonicalization
tracking
trapping and handling
ESB (enterprise service bus)
European Union Data Protection Directive (EUDPD)
evaluation
attack surface
configuration
general risk management model
risk acceptance
Evaluation Assurance Levels (EALs)
exception management
exposure factor
eXtensible rights Markup Language (XrML)
Extensions field for digital certificates
external security requirements
extreme programming (XP)
F
fail safe design
failure mode effects analysis (FMEA)
failures
cryptographic
single points
testing for
validation
faults
Federal Financial Institutions Examination Council (FFIEC)
Federal Information Processing Standards (FIPS)
cryptography
data classifications
definitions in
publications
qualitative matrices
Federal Information Security Management Act (FISMA)
federated ID systems
FFIEC (Federal Financial Institutions Examination Council)
Financial Modernization Act
Financial Privacy rule in GLBA
FIPS. See Federal Information Processing Standards (FIPS)
firewalls
firmware
FISMA (Federal Information Security Management Act)
flaws
flow control
foreign influence and control of suppliers
frameworks, security
fraud
functional requirements
functional testing
functionality in completion criteria
fuzz testing
G
GAO (General Accounting Office) supply threat categories
gates in security requirements
general risk management model
generation of data
gets function
GLBA (Gramm-Leach-Bliley Act)
glossary of terms
good enough security
GOTS (government off the shelf) software
governance in risk management
Gramm-Leach-Bliley Act (GLBA)
GRC (governance, risk management, and compliance)
grey-box testing
“Guide to Building Secure Web Applications and Web Services”
H
hackers
hard-coded credentials
hash functions
attacks on
cryptographic functions
one-way without salts
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
Healthcare Insurance Portability and Accountability Act (HIPAA)
help file for MasterExam software
hidden data
hierarchies
qualification testing
supply chains
high impact
high-risk data
highly structured threats
HIPAA (Healthcare Insurance Portability and Accountability Act)
HITECH Act (Health Information Technology for Economic and Clinical Health Act)
hot-fixes
human factors, monitoring
hybrid clouds
hyper-connectedness computing
I
IaaS (Infrastructure as a Service)
ICT (information and communications technology)
IDE (Integrated Development Environment)
identification
in authentication
configuration
incidents
security objectives
threats
Identify step in SEI model
identity management (IDM)
IDSs (intrusion detection systems)
impact
assessment
general risk management model
improperly handled data
risk
imperative programming
implementation phase in Microsoft SDL
in-band management
in deployment elements in Microsoft SDL
incident managers
incident response teams (IRTs)
incidents
anticipation
identification and monitoring
overview
reporting and management control
resources for
response team management
responses
software operations
Inclusion of Functionality from Untrusted Control Sphere vulnerability
independent testing
industry security policies
infinite loops
information and communications technology (ICT)
information flow models
Information Technology Infrastructure Library (ITIL)
Information Technology Laboratory (ITL)
Infrastructure as a Service (IaaS)
initial program load (IPL)
injection attacks
command
SQL
input data
defined
fuzzing
validation failures
inside adversaries
insider information
insider threats
installation
bootstrapping
customer support
planning for operational use
startup
validation and verification
Institute for Security and Open Methodologies (ISECOM)
intangible intellectual property
integer overflow
Integrated Development Environment (IDE)
integration
with existing architectures
systems
testing
integrity
code downloading
description
design for
overview
in Safe Harbor principles
software
supplier sourcing controls
integrity-based models
integrity verification processes (IVPs)
intellectual property rights
issues
supplier risk
interconnectivity
interface coding
interfaces
internal data
internal security requirements
International Electrotechnical Commission (IEC)
International Organization for Standardization (ISO)
ISO 9126 standard
ISO 9216 standard
ISO 12207 standard
ISO 15408 standards
ISO 15504 standard
ISO 2700X standards
interpreters
intrusion detection systems (IDSs)
intrusion prevention systems (IPSs)
IPL (initial program load)
IPSs (intrusion prevention systems)
IRTs (incident response teams)
(ISC)2 exams
ISECOM (Institute for Security and Open Methodologies)
ISO. See International Organization for Standardization (ISO)
Issue field for digital certificates
ITIL (Information Technology Infrastructure Library)
ITL (Information Technology Laboratory)
IVPs (integrity verification processes)
J
Java Virtual Machine (JVM)
JTC 1 - Information Technology standards
K
Kaminsky, Dan
keep-it-simple principle
Kerberos authentication
keys, cryptographic
knowledge base
known vulnerabilities
L
labeling
configuration
impact
sensitivity
latent threats
layered security
lead auditors in post-release
LearnKey technical support
least common mechanism
least privilege approach
legal compliance in supplier risk assessment
legal issues
levels of access for authorization
levels of confidence
leverage existing components
libraries
anti-XSS
cryptographic algorithms
dynamic
safe
STLs
licenses for product authentication
lifecycle
data
SDL
likelihood in risk acceptance
linking code
Load/performance test tools
load testing
failure testing
pre-release
local logging
locality principle for memory
location-based data
locks
logging and log files
auditing
bugs
in design
overview
secure coding standards
vulnerabilities
loops, infinite
low impact
low-risk data
low-water-mark policy
M
MAC (mandatory access control)
Madrid System
magnetic remanence
maintainability as completion criteria
maintenance review of modifications
malware
managed code vs. unmanaged
managed services in supplier sourcing
management V&V
mandatory access control (MAC)
MasterExam software
MD-5 hash algorithms
measurement of attack surfaces
mediation, complete
medium impact
medium-risk data
memory analyzers
memory management
message queuing
metadata
metrics for incident responses
Microsoft Intermediate Language (MSIL)
Microsoft Security Development Lifecycle
Microsoft Trustworthy Computing Initiative
minimization of attack surfaces
missing defense functions
mission-critical software
mitigation
analysis
primary
mobile applications
modeling, threat
moderate impact
modification. See change
monitoring
incidents
operational
in software maintenance
software operations
Morris worm
Mother Nature as adversary
MPEG-21 scheme
MSIL (Microsoft Intermediate Language)
multilevel security model
Mundie, Craig
mutual authentication
N
n-tier model
nation-state threats
National Information Assurance Program (NIAP)
National Institute of Standards and Technology (NIST)
cloud-based computing
computer security policies categories
publications
risk management framework
SP 800 Series
near-field communication (NFC) protocol
networks
firewalls
fuzzing
scans
next-generation firewalls
NFC (near-field communication) protocol
NIAP (National Information Assurance Program)
NIST. See National Institute of Standards and Technology (NIST) no-read-up rule
no-write-down rule
no-write-up rule
NoForn system
non-repudiation
nonpersistent XSS attacks
notice element in Safe Harbor principles
notifications for breaches
O
OAuth system
objectives, security
objects
authorization
defined
protected
OCSP (Online Certificate Status Protocol)
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
ODRL (Open Digital Rights Language)
one-way hashes without salts
Online Certificate Status Protocol (OCSP)
onward transfer element in Safe Harbor principles
open design
Open Digital Rights Language (ODRL)
open source models
Open Source Security Testing Methodology Manual (OSSTMM)
Open Web Application Security Project (OWASP)
overview
vulnerability categories
OpenID system
operating systems
operation process implementation
operational models of security
operational monitoring and control
operational requirements
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
opportunity costs in supplier sourcing
Orange Book
OSSTMM (Open Source Security Testing Methodology Manual)
out-of-band management interfaces
output data
outside adversaries
outsider threats
outsourcing
overflows
arithmetic
buffer
integer
OWASP (Open Web Application Security Project)
overview
vulnerability categories
ownership of data
P
PA DSS (Payment Application Data Security Standard)
PaaS (Platform as a Service)
parallel operations in software disposal
passwords
authentication
resets
Patch Tuesday
patches
in change management
managing
in regression testing
in vulnerability management
patents
path traversals
Payment Application Data Security Standard (PA DSS)
Payment Card Industry Data Security Standard (PCI DSS)
PEDs (PIN entry devices)
peer reviews
peer-to-peer architectures
penetration testing
performance testing
pre-release
service level agreements
permission bits
persistent attacks
APT
XSS
personal health information (PHI)
personally identifiable information (PII)
pervasive/ubiquitous computing
pharming
PHI (personal health information)
phishing
PII (personally identifiable information)
PIN entry devices (PEDs)
PIN Transaction Security (PTS)
PINs (product identification numbers)
PKI (public key infrastructure)
PKIX (Public Key Infrastructure X.509)
Plan step in SEI model
plans
configuration management
operational use
qualification testing
reuse
secure operation
software disposal
Platform as a Service (PaaS)
policies
auditing
CIA requirements
discretionary access control
identification and authentication
industries
internal and external requirements
mandatory access control
privacy
role-based access control
rule-based access control
portability as completion criteria
post-development sustainment activities
post-release activities
independent testing
overview
validation and verification
power attacks
power on self-test (POST)
pre-release activities
completion criteria
overview
risk acceptance
testing
prequalification of suppliers
Pretexting Provision in GLBA
preventive controls
primary mitigations
prioritization
privacy
privacy disclosure statements
private clouds
privilege levels
privilege management
problems
installation and deployment
managing
reports
resolution process
strategic planning
process focus in architecture technical reviews
product identification numbers (PINs)
products
backlogs
baselines
deployment and sustainment controls
quality
upgrades
programming
APIs
application
general failures
programmatic security
programming language environments
XP
project risk management
protected objects
“Protection of Information in Computer Systems”
Protection Profile (PP) in Common Criteria
prototypes
provisioning, identity management of
proxies
pseudo-random functions
cryptographic algorithms
Debian Linux bug
psychological acceptability
PTS (PIN Transaction Security)
public clouds
Public key field for digital certificates
public key infrastructure (PKI)
Public Key Infrastructure X.509 (PKIX)
publishing controls
Q
qualification testing
software
technical processes
qualitative matrices
qualitative methods
qualitative risk assessment
qualitative risk management
quality assurance testing
attack surface validation
bug tracking
environment
functional
overview
standards
quality vs. security
quantification in general risk management model
quantitative risk assessment
quantitative risk management
queuing technology
quick fix engineering (QFE)
R
race conditions
radio frequency identification (RFID)
rainbow tables
random numbers
cryptographic algorithms
Debian Linux bug
rank bids in supplier sourcing
RAs (registration authorities)
RBAC (role-based access control)
RBAC (rule-based access control)
read-only memory (ROM)
“reasonably believed” factor in breach notifications
record/playback tool
recovery in maintenance
reference monitors
registration authorities (RAs)
regression testing
regulations
REL (Rights Expression Language)
release management
release phase in Microsoft SDL
reliability as completion criteria
remote code execution
reporting incidents
repositories for product baselines
requestors for authorization
requirements
functional
Microsoft SDL
operational
testing and validation
requirements traceability matrices (RTM)
residual risk
resolution in vulnerability management
resources for incidents
response phase in Microsoft SDL
responses to incidents
REST-compliant web services
retention of data
return on investment (ROI)
reusability
reuse plans
revenue management
reverse engineering
reviews
code
security
technical
revision control
RFID (radio frequency identification)
rich Internet applications (RIAs)
Rights Expression Language (REL)
ring model
risk acceptance
risk assessment
for code reuse
defined
supplier. See supplier risk assessment
risk management
business risk
controls
defined
general model
general terms
governance and compliance
options
overview
qualitative
quantitative
quantitative terms
Software Engineering Institute model
statements
technology risk
risk management framework (RMF)
risk-versus-return scores in supplier sourcing
risky cryptographic algorithms
RMF (risk management framework)
role-based access control (RBAC)
roles
configuration management
definitions
ROM (read-only memory)
root cause analysis
RTM (requirements traceability matrices)
rule-based access control (RBAC)
S
SaaS (Software as a Service)
SABSA (Sherwood Applied Business Security Architecture)
Safe Harbor principles
safe libraries
SAFECode organization
Safeguards rule in GLBA
salts, one-way hashes without
sandboxing
Sarbanes-Oxley (SOX) Act
scanning
SCAP (Security Content Automation Protocol)
SCM (software configuration management)
scope of problems
script kiddies
scrum programming
SD3+C program
SDL. See secure development lifecycle (SDL)
secure coding standards
secure design principles
secure development lifecycle (SDL) components
description
Microsoft
monitoring requirements
overview
software development models
secure startup
Security Content Automation Protocol (SCAP)
security element in Safe Harbor principles
security features vs. secure software
security information and event management (SIEM) tool
security-level auditing
security overview
adversaries
basics
declarative vs. programmatic
knowledge base
models
security vs. quality
standards
threat landscape shifts
security-sensitive data
Security Target (ST) in Common Criteria
seeds, cryptographic
SEI (Software Engineering Institute)
sensitive data, encryption for
sensitivity levels
sensor networks
separation of duties
sequencing and timing
Serial number field for digital certificates
service level agreements (SLAs)
contractual terms
performance testing
supplier sourcing
service-oriented architecture (SOA)
service packs
services
for default security elements
web
session management
severity weighting
SHA-1
hash algorithms
Sherwood Applied Business Security Architecture (SABSA)
side channels
SIEM (security information and event management) tool
Signature algorithm field for digital certificates
signing, code
Simple Security Rule
simplicity principle
simulation testing
single loss expectancy (SLE)
single points of failure
single sign-on (SSO)
Slammer event
SLAs (service level agreements)
contractual terms
performance testing
supplier sourcing
SLE (single loss expectancy)
smart fuzz testing
SOA (service-oriented architecture)
social engineering attacks
software acceptance
overview
post-release activities
pre-release activities. See pre-release activities
qualification testing
software architecture
Software as a Service (SaaS)
software coding operations. See code and coding
software configuration management (SCM)
software development and testing
code testing
models
overview
SDL. See secure development lifecycle (SDL)
testing controls
software disposal
Software Engineering Institute (SEI)
software installation and deployment
bootstrapping
configuration management
customer support
overview
planning for operational use
validation and verification
software operations and maintenance
backup, recovery, and archiving
change management
customer support
disposal
ensuring operations
implementation
incidents. See incidents maintenance overview
maintenance review/acceptance
modification implementation
monitoring and control
overview
planning
problem management
supply chain. See supply chain and software acquisition
software patents and copyrights
software quality assurance (SQA)
software requirements, testing and validation
software teams
awareness and education in
code review
software validation and verification plan (SVVP)
software vulnerabilities. See vulnerabilities and countermeasures
something about you
something you have
something you know
source code in configuration
management
SOWs (statements of work)
configuration management
modification implementation
SOX (Sarbanes-Oxley) Act
spaghetti code
spear phishing
specification of software requirements (SRS)
spiral model
SQA (software quality assurance)
SQL (Structured Query Language) injection attacks
SRS (specification of software requirements)
SSE-CMM (Systems Security Engineering Capability Maturity Model)
SSO (single sign-on)
standard template libraries (STLs)
standards
ISO. See International Organization for Standardization (ISO)
NIST. See National Institute of Standards and Technology (NIST)
quality assurance testing
star property
statements, risk management
statements of work (SOWs)
configuration management
modification implementation
states, data
static code analysis
static linking
status accounting in configuration management
STLs (standard template libraries)
strategic planning
strcpy function
stress testing
STRIDE method
strncpy function
structured data
structured incident responses
Structured Query Language (SQL) injection attacks
structured threats
style guides
subcontractors
activities
in configuration management
software requirements testing and validation
Subject field for digital certificates
subject-object-activity matrices
subject-object-activity model
supplier risk assessment
for code reuse
Common Criteria
intellectual property
legal compliance
overview
prequalification
supplier sourcing
contractual integrity controls
managed services
overview
service level agreements
technical integrity controls
supply chain and software acquisition
authenticity and integrity
chain of custody
configuration management
deployment and sustainment controls
monitoring and incident management
overview
publishing and dissemination controls
risk assessment. See supplier risk assessment
software delivery, operations, and maintenance overview
software development and testing
sourcing. See supplier sourcing supplier transitioning
systems-of-systems integration
vulnerability management, tracking, and resolution
support for customers and end users
in installation and deployment
in operations
sustainment
controls
description
purpose
SCM process
SVVP (software validation and verification plan)
synchronization of passwords
syslog protocol
system decomposition
system scans
system tenets
systems-of-systems integration
Systems Security Engineering Capability Maturity Model (SSE-CMM)
systems testing
T
tags, RFID
take-grant model
tangible property
Target of Evaluation (TOE) in Common Criteria
TC (trusted computing)
TCB (trusted computing base)
TCP (Transmission Control Protocol) handshakes
TCSEC (Trusted Computer System Evaluation Criteria)
teams
awareness and education in
code review
IRT
technical integrity controls
technical reviews
technical support
technical V&V
technologies
authentication
credential management
data loss prevention
database security
digital rights management
embedded systems
flow control
identity management
logging
operating systems
programming language environment
trusted computing
virtualization
technology, defined
technology risk
tenets
security
system
terms, glossary of
test-based behaviors, integrity controls for
test cases for pre-release testing
testing
artifacts
code
controls
cryptographic validation
data management
for failure
fuzz
impact assessment and corrective action
independent
penetration
pre-release
quality assurance. See quality assurance testing
regression
scanning
simulation
software requirements
testing phase in Microsoft SDL
theft of intellectual property
third parties
APIs
identity management
vendor technical integrity controls
thread-checking routines
threats
general risk management model
landscape shifts
modeling
three tier model
time of check/time of use (TOC/TOU) attacks
timing attacks
timing issues
TOC/TOU (time of check/time of use) attacks
TOE (Target of Evaluation) in Common Criteria
tokenization
tokens in authentication
top 25 vulnerability categories
total risk
TPM (Trusted Platform Module)
TPs (transformation processes)
Track step in SEI model
tracking
bugs
vulnerabilities
trade secrets
trademarks
training in Microsoft SDL
transformation processes (TPs)
transitions
software disposal
supplier
Transmission Control Protocol (TCP) handshakes
treasury management
triggers for database security
trust boundaries
Trusted Computer System Evaluation Criteria (TCSEC)
trusted computing (TC)
trusted computing base (TCB)
Trusted Platform Module (TPM)
Trustworthy Computing (TwC) team
two-factor authentication
type safe practice
types
data
problems
U
ubiquitous computing
UDP (User Datagram Protocol) protocol
UEFI (unified extensible firmware interface)
unconstrained data items (UDI)
unencrypted personal information in breach notifications
Unicode support
unified extensible firmware interface (UEFI)
unit testing
United States Computer Emergency Readiness Team (US-CERT)
unmanaged code vs. managed
unstructured data
unstructured threats
upgrades, product
usability
completion criteria
pre-release testing
usage, data
use cases
Use of Potentially Dangerous Functions vulnerability
User Datagram Protocol (UDP) protocol
user definitions
user experience (UX) interface
user stories in XP
user-supplied input in command injection attacks
usernames in authentication
UX (user experience) interface
V
validation
cryptographic
input
installation
post-release
software development
software requirements
threat model
Validity field for digital certificates
vendor technical integrity controls
verification
installation
Microsoft SDL
post-release
software development
Version number field for digital certificates
versions
configuration management
release management
views for database security
virtualization
vulnerabilities and countermeasures
common enumerations
CWE/SANS top 25
vulnerability categories
description
embedded systems
input validation failures
Open Web Application Security Project
side channels
social engineering attacks
tracking and resolution
virtualization
W
walkthroughs, code
warranties
waterfall model
weak links in supply chains
weakest links in systems
web services
Web Services Description Language (WSDL)
Web test tools
white-box testing
wireless communications
World Intellectual Property Organization
WSDL (Web Services Description Language)
X
X.509
credentials
XP (extreme programming)
XrML (eXtensible rights Markup Language)
XSS (cross-site scripting)
Z
Zachman Framework
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.