1G networks, 339–340

2G networks, 340

3D Secure 2.0 (3DS2), 302–303

3G networks, 340, 340f

4G networks, 341–342, 341f

5G networking, 344–345

5G networks, 342–345

5G service types, 343–344, 343t

5G signaling, 344

6LoWPAN, 354

A

abandoned shopping cart, 322

abuse of functionality, 169

acceptance stage, 239

accepting user input, 141–143, 228–233

access control, 243

access control measures, 217–218

access privilege policies, 254

access security, 341

account lockout policy, 170–171, 171t

actions, 354

active/active forwarding, 345

add-on apps, 203

address change fraud, 212

address spoofing, 134

Advanced Encryption Standard (AES), 95, 242

advanced NTFS settings, 186, 188t

adware, 122

agile software development methodology, 311–315

AIaaS. Artificial Intelligence as a Service

Americans with Disabilities Act Standards for Accessible Design, 299

America OnLine (AOL), 15

Annualized Loss Expectancy (ALE), 104, 104f

Annualized Rate of Occurrence (ARO), 104

anti-automation attacks, 189–190

Anti-Money Laundering (AML), 304

antisocial defense, 51

antivirus software, 221

Apple IIGS, 17

application and coding security, 105

application assessment, 89

application development, 390–392, 390t

application hardening, 185, 262

application layer security, 341

application misconfiguration, 185

application programming interface (API), 204–206

application security, 214

application server, 30

application software, 73–74

Archie search engine, 16

architecture, 207

ARPANET, 8–11, 9f, 9t

artifacts, 313

Artificial Intelligence as a Service (AIaaS), 37

asset control, 46

asset identification, 97

asset protection, 47

“As We May Think”, 14

ATMs. automatic teller machines

attack plan, 279–280, 281–282

attack vector, 49

authentication, 236, 238, 249, 342, 351

authentication failure, 72–73, 151–153

authentication method, 159

authentication policies, 253

authorization, 191

authorization risks, 351

automatic attendants, 367

automatic directory listing, 185

automatic teller machines (ATMs), 51

automobile data collection, 355

availability, 45, 45f

average time on site, 139

B

backdoor attacks, 118

back-end, 166–167, 281–283

Backup as a Service (BaaS), 37

backups and archives, 393

baiting, 50

black hat hackers, 116

blacklisting, 229

blended threat malware, 54

blockchain, 25–26, 25f

blocking email threats, 366–367

blog sites, 24

bootloader, 121

broadcast range, 342

broken access control, 70, 144–145, 145f

broken links, 321

browser alerts, 125, 125f

Brute force, 118

brute force attack, 73, 169–170

buffer overflow, 84, 84f, 171–173

bulletin-board services (BBS), 15

Business Email Compromise (BEC), 366

business on the web, 78–81

business-to-business (B2B) modes, 78

business-to-consumer (B2C) modes, 78

Byte Information Exchange (BIX), 15

C

CaaS. Cloud as a Service

California Privacy Rights Act (CPRA), 296

“call-to-action” (CTA), 329, 329f, 329t

CAMS model, 317, 317f

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), 190, 190f

Cardholder Data Environment (CDE), 216

cellular networks, 339–346

censorship, 208–209

CEO fraud, 366

CERN (Conseil Européen pour la Recherche Nucléaire), 17, 18

change management, 328

Children’s Online Privacy Protection Act (COPPA), 299

CIA triad, 45, 45f, 92, 385

client privacy agreement, 126

client/server computing, 18, 30–31

client-side validation, 228–229

closures, 61

Cloud as a Service (CaaS), 38

cloud computing, 34–38, 35f

cloud security, 214–215

cloud security posture management (CSPM), 215

cloud service provider (CSP), 35, 35f, 86, 215

cloud workload protection platform (CWPP), 215

code quality risks, 351

code tampering risks, 351

coding errors, 251t–252t

Common Gateway Interface (CGI), 29, 30f, 231–232, 259–261

common vulnerabilities, 83

Common Vulnerabilities and Exposures (CVE), 87, 286

Common Vulnerability Scoring System (CVSS), 286

communication, 351, 360–363

communication privacy and security, 361

Communications Act, 299

Community Emergency Response Team (CERT) program, 256

compiler warnings, 256

Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA), 190, 190f, 304

compliance issues, 294–296

compliance risk, 56

compound SQLi, 83–84

CompuServe, 15

Computer Fraud and Abuse Act (CFAA), 299

computers and computing, 6–7, 7t

Computer Science Network (CSNET), 11

confidentiality, 44–45, 45f

configuration, 263

configuration errors, 60

consumer-to-business (C2B) modes, 78, 79f

consumer-to-consumer (C2C) modes, 78–79

contact us forms, 143

content adaptation, 373

content delivery network (CDN), 204

content optimization, 28

content spoofing, 173

continuous integration/continuous deployment (CI/CD) pipeline, 153

cookie encryption, 324

cookie management policy, 297–298

cookies, 61–65, 62f, 63f

cookies on multiple browsers, 323–324

cookies testing, 322–324, 323f, 324f

corporate espionage, 117

corrupt cookies, 323

Counter Terrorist Financing (CTF), 304

cracker, 115

credential/session prediction, 173–174

credential stuffing, 72

credit card information, 170

creeper, 120

cross-site request forgery (CSRF), 160, 174

cross-site scripting (XSS) attack, 160, 174

cryptanalytic software, 146

cryptographic failures, 70–71, 145–146

cryptographic knowledge, 263

cryptography, 145

cryptography risks, 351

crystal, 314

current threat identification, 69–74

customer-focused services, 80

customer support forms, 143

cybercriminals, 49

cyberstalking, 126–127

cyberterrorists, 49, 116

D

daily scrum, 313

daily tasks for Web developers, 397–398

damaged access control, 87

damaged authentication, 87

DARPA (Defense Advanced Research Projects Agency), 7

data, 4–5, 5f

data analysis, 354

data assets, 97–99, 98t, 99t

database access, 219

database administrators, 384–389

database administrator vs. designer, 387–388

database career path, 387f

database management tasks, 388–389

database security, 385

database security training and certification, 389

database vulnerabilities, 386–387

data confidentiality policy, 254–255

Data Encryption Standard (DES), 242

data handling, 301

data integrity issues, 73–74

data in transit security, 341, 361

data tampering, 249

data transfer speeds, 342

data validation, 263

datum, 4, 5f

debit cards, 212

decentralized Web, 26

deception, 91

deep web, 396

default/unchanged passwords, 60

defect vulnerabilities, 54

Defense Advanced Research Projects Agency (DARPA), 7

defense against DoS, 377

Defense-in-depth (DiD), 155

delivery, 373

demilitarized zones (DMZ), 219, 219f, 248

denial of service (DoS) attack, 118, 174–175

dependencies, 149

deployment stage, 239

designing stage, 238

Desktop as a Service (DaaS), 38

development environments, 308

development processes, 233–235

development team, 312

DevOps, 317–318

dictionaries, 24

dictionary attack, 73, 118

Diffie-Hellman, 159

Digital Enhanced Cordless Telecommunications (DECT), 340

Digital Equipment Corporation (DEC), 120

directory indexing, 87, 88f, 185

directory portals, 29

directory traversal, 87

disable cookies, 323

disclosure of confidential data, 254

disruption, 91

distributed DoS attack, 119

DNS attacks, 134

DNS names, 133–134

documentation, 215, 223

documentation testing, 327–328

document control, 377

Domain Name System (DNS), 10, 132–134, 269

DoS attacks, 134

driver’s license number fraud, 212

dumpster diving, 50

duplication, 258

Dynamic application scanner tools (DAST), 237

dynamic SQL, 259

Dynamic Systems Development Method (DSDM), 314

E

early E-commerce, 79

early internet, 15–17, 15f, 16f

electronic-commerce (e-commerce), 78

Electronic Communications Privacy Act (ECPA), 299, 360

electronic mail (email), 10

Elk Cloner, 120

email, 122, 347, 352

email attacks, 127–128

email blocking, 128

email filters, 366

email links, 321

email notifications, 368

email protocols, 13

email tracking, 128

email vulnerabilities, 365–366

encapsulation, 107

encrypt data transmission, 221

encrypt HTML code, 257

encryption algorithms, 342

encryption protocols, 261

end of life, 237

endpoint device, 338–339

endpoint device communication, 351–353

end-user education, 189, 235

end-user vulnerabilities, 124

Energy Sciences Network (ESnet), 11

ENQUIRE system, 17

enumeration, 269

error-band SQLi, 83

error handling, 158, 238

error messaging, 262

error tracing, 158

escalated privilege malware, 54

escalate privilege level, 280–281, 282

evasion malware, 54

evil twin, 65

executive sponsor, 316

executive summary, 284–285

exploitation, 81

exploit malware, 54

exposure factor (EF), 103

exposures, 60

Extensible HyperText Markup Language—Mobile Profile (XHTML-MP), 327

Extensible Markup Language (XML), 167

extensions, 21–22, 22f

external security, 166

external web hosting, 129–130

extraneous functionality risk, 351

Extreme programming (XP), 314

F

Feature-driven development (FDD), 315

Federal Trade Commission (FTC) Act, 299

file corruptors, 52

File Retrieval and Editing System (FRES), 15

file system permissions, 185–186, 186t

File Transfer Protocol (FTP), 13, 269

filtering systems, 189

financial motivations, 117

fingerprinting attack, 175, 269

firewall, 215, 218–220, 248

firmware, 122

footprinting, 134

format string attack, 175–176

forms testing, 321–322

forums, 142–143

4G networks, 341–342, 341f

Fprint, 175

fraud, 124–126

front-end, 166

FTP (File Transfer Protocol), 10

functional testing, 320–326, 320f

functional websites, 230–233

G

gaps and holes, 280, 282

General Data Protection Regulation (GDPR), 56, 213, 295–296

general privacy laws, 294–295, 294t, 295t

general system maintenance, 393

Genie, 15

global positioning system (GPS), 339

Google Analytics tool, 139, 139f, 140f

Gopher system, 16

government-sponsored threat actors, 49

Gramm-Leach-Bliley Act (GLBA), 299

graphic design, 166

grey hat hackers, 116

groupware, 16

H

hacker attacks, 117–119

hackers, 115–116, 115f

hacktivists, 49, 85, 116

harassment, 126–127

hardening, 60–61, 148

hardware, 16–14, 393

hardware vulnerabilities, 123

harm, 119

hashing algorithms, 242

hash injection, 118

Health Insurance Portability and Accountability Act (HIPAA), 56, 299

health monitoring, 355

hobbyists, 116

honey trap, 50

host assessment, 89

host-based security mechanisms, 235

HTML/CSS validation testing, 324–325, 325f

HTML secure coding standards and techniques, 257–258

HTTP attacks, 176–177, 176f

HTTP-only cookies, 63

HTTP request smuggling, 177

HTTP request splitting, 177

HTTP response, 177

HTTP Strict Transport Security (HSTS), 146

HTTrack Website Copier, 277

human vulnerabilities, 45

hybrid application, 203–204

hybrid brute force attack, 73

hybrid client, 31

hybrid cloud, 36

hypertext, 13–15, 14f

Hypertext Editing System (HES), 15

Hypertext Markup Language (HTML), 18, 230–231

Hypertext Transfer Protocol (HTTP), 13, 18, 269

Hypertext Transfer Protocol Secure (HTTPS), 240

hypervisor, 34

I

IBM PC/AT, 17

identification, 72–73

identification failures, 151–153

identity theft, 51–52, 127

IEEE 802.11ah, 354

IM mitigation techniques, 371

impact scale, 102

impersonation, 182

implementation stage, 238

imposters, 368

IM threats, 371

in-band SQLi, 83

incident response, 254

incorporate PCI DSS, 278–279

ineffective login credential recovery, 73

information, 5–6

information leakage, 158, 189

information security, 209, 210t, 213–215

information security standards, 210–211

Infrastructure as a Service (IaaS), 37

infrastructure security, 214

inherited permissions, 187

initial discovery on targeted website, 269–274

injection, 146–147

injection attack, 71, 147, 178

input data validity, 322

input handling, 186

input, process, and output model, 6, 6f

input validation, 236, 238, 249–250, 256, 258, 260

insecure design, 147

insecure location, 46–48

insider risk, 56

instant messaging (IM) chat, 348, 371

integer overflows, 177–178

integrity, 45, 45f, 153

integrity algorithm, 159

intelligent power outlets, 355

interception, 85–86, 86f

Interface Message Processor (IMP), 8

interference band SQLi, 83

internal link, 321

internal security, 165–165

internal web hosting, 131–132

internet browsing, 352, 352f

internet connection, 134–135

Internet Corporation of Assigned Names and Numbers (ICANN), 131

Internet Engineering Task Force (IETF), 91

Internet Key Exchange (IKE), 159

Internet law, 207–208

Internet Message Access Protocol (IMAP), 178

Internet of Things (IoT), 343, 353–355

internet privacy issues, 363

Internet Protocol (IP), 10, 269

Internet Protocol Security (IPSec), 107, 159

internetwork, 9

intrusion detection systems (IDSs), 248

IP communications, 104–105

IPO (Input, Process, and Output) model, 6, 6f

IS-IS (Intermediate System to Intermediate System) Protocol, 10

IT managers, 383

J

JavaScript, 232, 258

JavaScript Object Notation (JSON), 167

Joint Application Development (JAD), 315–318, 316f

K

Kanban, 315, 315f

Kernel mode, 122

keylogger, 53

keyword filtering, 128

keyword research, 27–28

keyword search, 27–28

“Known Exploited Vulnerabilities Catalog” website, 44, 44f

Know Your Business (KYB) verification, 303

Know Your Customer (KYC) verification, 303

L

lawful basis, 300

laws, 208

layered security, 257

layered security strategies, 235–237

Layer 2 Tunneling Protocol (L2TP), 107

LDAP injection, 178

Lean software development (LSD), 315

least privilege, 257

leave/bounce rate, 139

legal disclaimer, 128

legal requirements compliance, 297–298

Li-Fi, 354

Lightweight Directory Access Protocol (LDAP), 178

limited open-source software, 23

line mode browser, 19–20, 19f, 20f

link bonding, 345

link building, 28

links testing, 321

local data, 361

logging and log management, 222–223

logical security, 97

logon credentials, 170

long-term recommendations, 287

luring attacks, 249

M

MAC address filtering, 66

Macintosh II, 17

macro viruses, 52–53

mail command injection, 178

mail server, 30

malicious code, 170

malware, 52, 85, 119–122, 121t, 366

malware replication, 122–123

malware threats, 123

man-in-the-middle (MitM) attack, 118, 250

map APIs, 206

map overlay, 140, 140f

market segmentation, 142

maturing network, 11

mean time to failure (MTTF), 318

mean time to recovery (MTTR), 318

Media Access Control (MAC), 271

memory mode, 122

Merriam-Webster.com, 4

message archiving, 128

message priority, 128

messaging/chat, 352

messaging, social networking sites, 369

meta description, 28, 28f

Microsoft Internet Information Services (IIS), 277

Microsoft Security Development Lifecycle (Microsoft SDL), 234

Microsoft Windows, 20, 21

misconfiguration, 71–72

missing data, 322

missing/omitted links, 321

mitigate vulnerabilities, 252–256

mitigating risk, web applications, 215

mitigating voicemail risks, 368

mitigating weaknesses, 194

mitigating web application vulnerabilities, best practices, 262–263

mitigating web attacks, 193–194

mitigating website security flaws, 326–327

mitigation strategies, 104

MMS messaging, 349–350

MMS threats, 373–374

MMS vs. SMS, 373

mobile devices, 327

mobile Email, 348

monitor HTML code, 258

Mosaic, 19, 19f, 20f

multi-factor authentication (MFA), 151, 152f, 166

Multimedia Messaging Service (MMS), 349, 372

multimedia messaging service encapsulation protocol, 373

multiple points of presence (MPOP), 370

N

NASA Science Internet (NSI), 11

NASA Science Network (NSN), 11

National Aeronautics and Space Administration (NASA), 7

National Institute for Science and Technology (NIST), 91, 98

National Institute of Systems Technology (NIST), 36

National Vulnerability Database (NVD), 165

native application, 203

natural vulnerability, 48

NCSA Mosaic browser, 20

Nessus vulnerability, 273–274, 273f

Netscape, 20, 21

network, 354

network administration tasks, 393

network administration training and certification, 394

network administrators, 383

network architecture, 175

Network as a Service (NaaS), 38

network assessment, 89

network blueprints, 219

network homogeneity, 54

network management, 392–395

network security features, 345–346

network shares, 122

Next Generation Mobile Networks (NGMN), 342

nexus, 17

The Nines, 94

NIST SP 800-160 Vol. 1, 234

Nmap/Network mapper, 271–272, 272f

no backup plan, 47

no contact, 126

noninteractive sites, 23

nonsecure code, 250–252, 251–252t

norms, 208

NSFNET, 10–11

null byte injection, 178–179

O

observer, 316

official app stores, 202

1G networks, 339–340

online business risk, 95–107

online privacy and security, 362–363

online risks and threats, 129

online surveys, 143

“oN-Line System”, 14

open doors, 54

Open Mobile Alliance (OMA), 327

Open Systems Interconnection (OSI) Reference Model, 10

Open Web Application Security Project (OWASP), 69, 69f, 143, 165

operating system fingerprint, 272

operational compliance, 299–301

organizational agendas, 117

OS commanding, 180

outbound link, 321

out-of-band SQLi, 83–84

out-of-the-box (OOB), 147

output handling, 188

Over-the-Top (OTT), 365

OWASP Application Security Verification Standard (ASVS), 235

OWASP top 10 mobile risks, 350–351

OWASP top 10 threats, 143–157, 156–157t

ownership, 48

P

packet switching, 8

page layout, 166

password attacks, 118

password based key derivation function (PBKDF), 146

password policies, 171, 172t

password recovery, 191

passwords, 220

path traversal attack, 180

Payment Card Industry Data Security Standard (PCI DSS), 56, 210–212, 216–218, 217t, 301–302

payment processing compliance, 301–303

Payment Services Directive (PSD2), 302

PCI DSS, 278–279

peer-to-peer (P2P) sharing networks, 122

penetration testing, 223, 279

perimeter security, 166, 235

persistent cookies, 62, 63, 323

personal agenda, 117

personal attacks, 124

personal computers (PCs), 17

personally identifiable information (PII), 45

pervasive computing, 26

phase II SA negotiation, 159

phase I SA negotiation, 159

phishing, 366

phishing attack, 50

physical intrusion, 65

physical security, 97, 261, 353, 376

physical security plan, 46–47

physical security vulnerabilities, 124

ping flood, 118–119

Ping Sweep, 269–271, 270f

planned attacks, 279–281

Platform as a Service (PaaS), 37

Point-to-Point Tunneling Protocol (PPTP), 107

polymorphic viruses, 53

port scan, 273–274

port vulnerabilities, 123–124

post-launch, 331–332, 331f

potentially unwanted programs (PUPs), 119

predictable resource location, 181

pre-launch tasks, 328–329

presence and availability, 369–371

pretexting, 50

Printf, 175

privacy, 360–363

privacy policy, 297

privacy vs. security, 361–362

Private Branch Exchange (PBX), 376

private cloud, 36

private data, 361

private data privacy, 59

probability range, 102, 102t

process validation, 191

product backlog, 313

product life cycles, 148

product owner, 312

programming tasks, 391–392

programming training and certification, 392

progressive web applications (PWA), 204

project manager/facilitator, 316

protecting assets, 57–59

protect stored PII data, 220–221

protocol, 11

proxy server, 31

public cloud, 36

public data, 361

Public Suffix List, 63, 64f

Q

qualitative analysis, 101

qualitative assessment, 101–103, 102t, 103t

quality assurance techniques, 257

quantitative analysis, 101

quantitative assessment, 103–104, 104f

R

radio access technology (RAT), 342

radio frequency identification (RFID), 354

ransomware, 52, 54–55, 94–95, 122, 366

Rapid application development (RAD), 315

Read-Only Web, 22

real-time communication, 364–365

Real-time Transport Control Protocol (RTCP), 378

Real-time Transport Protocol (RTP), 378

recommendations section, 286–287

recorder, 316

records of consent, 298

recovery time objective (RTO), 318

Red Flags rule, 211–212

redirection, 85

references, 24

releasing website to world, 328–332

remote code execution (RCE), 88

remote file inclusion (RFI), 88, 181

remote management, 377

remote management capabilities, 376

REpresentational State Transfer (REST), 167

request, 18

Request for Comments (RFC), 229–230

resource theft, 117

response, 18

restrict physical access, 222

return policy, 126

reverse brute force attack, 73

reverse engineering risk, 351

revision-level tracking, 261

risk, 43, 43f, 55–57, 96t

risk assessment, 56–57, 101, 223

risk assessment matrix (RAM), 101–103, 102t, 103t

risk identification, 68–69

risk management, 99–101, 100f

risk matrix, 57, 57f

risks, 114

Rivest Cipher, 242–243

rootkits, 53, 121

routing detour attacks, 181–182, 182f

run diagnostics, 331, 331f

S

same-site cookies, 63

sanctions screening, 304

Sandbox security, 259

sanitization, 187

Sarbanes-Oxley Act (SOX), 56

scareware, 50–51

script kiddies, 49, 116

scrum, 311–314, 312f

scrum master, 312

search engine optimization (SEO), 27–28, 324, 325f

search engines, 27–29, 29f

secure access, 107

secure application development, 234–235

secure coding best practices, 256–257

secure coding standard, 257

secure cookies, 63

secure protocols, 240, 240t

Secure Sockets Layer (SSL), 146, 241–243, 241f, 260

secure software development life cycle (SSDLC), 234

securing unified communications, 377

security, 42, 360–363

security actions, 218–223

security areas, 165–167

security assessment, 268–269, 274–279, 286, 288–289

security assessment report, 283–287

security association (SA), 159

security audits, 148

security configuration, 86, 341

security information review, 394–395

security logging and failures, 154–155, 154f

security logging and monitoring, 74

security measures, 300

security misconfigurations, 147–149

security requirements within SDLC, 237–239

security settings misconfiguration, 88

security testing, 325–326

security threats, 91–92, 385–386

security, Web developers, 396

Semantic Web, 24

sensors, 354

SEO strategy, 330–331

SEO title tags, 28, 28f

server misconfiguration, 192–193

server-side include (SSI) injection, 29, 179

server-side rendering (SSR), 204, 205f

Server-Side Request Forgery (SSRF), 155

server-side validation, 229

service delivery models, 37–38

service deployment models, 36–37

service-level agreement (SLA), 94, 130

service packs, 106–107

session cookie, 62, 323, 324

session expiration, 191–192

session fixation attack, 182–183, 183f

session hijacking, 250

session ID, 73, 173

Session Initiation Protocol (SIP), 377

session management, 249–250, 378

session replay, 250

session setup, 378

Short Message Service (SMS), 339, 348, 372

short-term recommendations, 287

shoulder surfing, 51

signup forms, 143

simple brute force attack, 73

Simple Mail Transfer Protocol (SMTP), 178, 269

Simple Network Management Protocol (SNMP), 275

Simple Object Access Protocol (SOAP), 167, 183

Single Loss Expectancy (SLE), 103

single page application (SPA), 204

SIP best practices, 379

SIP features and essentials, 377–378

SIP user agents (UA), 378–379, 378f, 379f

site usage, 139

smartphones, 338–339

SMS/Text Messaging, 348–349, 349f, 352

SMS threats, 372

SOAP array abuse, 183

social computing, 26

social engineering, 49–51, 365

social media APIs, 206

social networking, 24

software and data integrity failures, 153–154

Software as a Service (SaaS), 37, 198

Software Assurance Maturity Model (SAMM), 235

software configuration management (SCM), 261

Software-defined networking (SDN), 345

software development life cycle (SDLC), 233–234, 233f

software development methodologies, 308–309

software testing, 268–269

software updates and fixes, 393

software vulnerabilities, 123

Space Physics Analysis Network (SPAN), 11

spam, 366

spear phishing, 366

sponsored/cyberwarfare motivations, 117

sponsored hackers, 116

spoofing, 365

sprint, 313

sprint backlog, 313

sprint demo, 313

Sprintf, 175

sprint planning, 313

Sputnik, 7, 8f

spyware, 53, 122

SQL database access secure coding, 259–261

SQL Database Back-End, 232–233

SQL injection (SQLi), 83–84, 179, 282–283

SSID, 68–69

SSL/TLS encryption, 242–243

stakeholder, 312, 316

standard sets of values, 322, 322f

state data privacy and protection laws, 56

state-sponsored threat actors, 49

static application scanning tools (SAST), 236

static site generation (SSG), 204

static website content, 23

static Web sites, 22

store-and-forward communication, 363–364

STRIDE threat model, 92–93, 92t, 93t

Strong Customer Authentication (SCA), 302

structured query language (SQL), 281–283

summary of findings, 285

Supercookies, 63–64

surveillance, 47, 363

suspicious domain name, 125, 125f

symbiotic computing, 26

System Development Life Cycle (SDLC), 309–311, 310f

system failures, 393

system hardening, 262

systems analysis stage, 237–238

T

tablets, 339

tax compliance, 303

technical advisor, 316

technological security of devices, 352

telephone and private branch exchange communications, 376–379

telephone number fraud, 212

Telnet (Teletype network), 10

termination, 18

terms and conditions, 298

testing stage, 239

test inside and out, 288

theft, 363

thick client, 31

thin client, 31

think outside the box, 288–289

third-party APIs, 206

third-party app, 202–203

third-party cookies, 64

third-party risk, 56

third-party Web apps, 203–204

thread, 354

threat action, 90

threat actor, 49, 90

threat agent, 90

threat assessment, 238

threat consequence, 90

threat identification, 68–69

threat maps, 68–69, 68f

threat mitigation, 238

threats, 43, 43f, 48–55, 90, 97, 114, 160, 365–376

Third Generation Partnership Project (3GPP), 342

top-level domain (TLD), 132, 133f, 133t

tracking, 363

Transmission Control Protocol (TCP), 10, 271

Transmission Control Protocol/Internet Protocol (TCP/IP), 11–13

Transport Layer Protection, 192

Transport Layer Security (TLS), 192, 241, 260

triple DES (3DES), 242

Trojan horse, 53

trojans, 121

trust icons and logos, 126

tunneling, 107, 345

turing tests, 304

The Twillo API, 206

U

ubiquitous computing, 26

ultra-low emission (ULE), 354

unauthorized disclosure, 91

unauthorized file sharing, 66

unencrypted data-at-rest, 387

unencrypted data-in-transit, 387

Unified Communications as a Service (UaaS), 38

Uniform Resource Identifier (URI), 206

unintended download, 54

union-band SQLi, 83

Universal Document Identifier (UDI), 18

UNIX/Linux, 270

unofficial app stores, 203

unpatched database systems, 386

unsanitized inputs, 386

unsecure communications, 158–159

unsecure indexing, 189

unsecure protocols, 240, 240t

unsolicited email, 366

unused database elements, 386

update and patch systems, 222

URL access, 159–160

URL redirector abuses, 180

U.S. Computer Emergency Readiness Team (US-CERT), 165

user agent client (UAC), 378

user agent server (UAS), 378

user and group privileges, 386

user availability, 378

user capabilities, 378

User Datagram Protocol (UDP), 13

user experience (UX), 320

user-generated encyclopedias, 24

user inputs, 277–278

user location, 378

user mode, 122

user stories, 313

U.S. Federal Bureau of Investigation’s (FBI), 82

U.S. Federal Trade Commission (FTC), 368

usurpation, 91

V

validate URLs, 258

velocity, 313

verify vulnerabilities, 326

Veronica search engine, 16

Video-conferencing as a Service (VaaS), 38

Video Privacy Protection Act, 299

virtualization, 31–34, 32f, 33f

virtual machine manager (VMM), 33

virtual machines, 34

virtual memory, 32

virtual private network (VPN), 107

virtual server, 31

viruses, 52–53, 120–121

visitor location, 138

visitor navigation, 139

visitor sources, 138

visitors overview, 139

visitor type, 138

visits, 139

VMware Virtual Platform, 32

voice, 352

voice communication, 346–347

voicemail risks, 367–368

voicemail threats, 367

Voice over IP (VoIP), 374–376

VoIP communications, 375

VoIP implementation, 376

VoIP planning, 375

VoIP threats, 374–375

vulnerability, 43–46, 43f, 81–83, 89–90, 96–97, 123–129, 160, 164–165, 274–279, 279–281, 281–283, 326, 350–351, 365–366, 386–387

vulnerability assessment, 89–90, 285–286

vulnerability management, 217, 236

vulnerability preparation, 283–287

vulnerability scans, 223

vulnerable and outdated components, 149–151, 150f

W

WAN optimization, 345

war driving, 65–66

waterfall model, 233–234, 233f, 309–311

watering hole attack, 51

weak passwords, 46

weak security design, 71

Web 1.0, 22–23, 23t

Web 2.0, 23t, 24

Web 3.0, 23t, 24–26

Web 4.0, 23t, 26–30

Web app architecture, 204

Web application, 164–167, 198–206, 199f, 203, 243–244, 244t

Web application benefits, 201

Web application disadvantages, 201–202

Web application function, 199–201, 200f, 201f

web application security areas, 165–167

Web Application Security Consortium (WASC), 165

Web application vulnerabilities, 164–165, 248–252

Web-based Real-Time Communications (WebRTC), 364

Web browser APIs, 123, 206

Web crawling, 332

Web design and administration, 395–399

Web developer, 395

Web developers training and certification, 398–399

Web-enabled application, 86–89

web evolution, 80–81

web hosting, 129

webmaster, 395

web risks, 160

web server, 31

Web server application, 274, 276

web server front-end, 274

Web Server OS, 274–275

web server version, 175

web service, 167–168, 168f

Web Services Description Language (WSDL), 167

Website, 138–141

Website attacks, 168–184

Website designer, 395

Website diagnostics, 329–330, 330f

Website feedback forms, 143

Website forms, 274, 277–278

Website front-end, 276–277

Website hosting, 129–132

Website launch, 329

Website legal requirements, 296–297, 297f

Website security, 81–95

Website testing, 318–320

Website threats, 93–94

Website vulnerability, 268–269, 288–289

Website weaknesses, 184–193

Web threats, 158–160

white hat hackers, 116

whitelist approach, 187

whitelisting, 229

Whois (Private or Public), 131–132

Wi-Fi Protected Access (WPA), 67

Windows, 270

Wired Equivalency Protection (WEP), 66

Wireless Access Protocol (WAP), 327

wireless endpoint communication, 346–350

wireless network vulnerabilities, 65–68

wireless risks, 66

Worldwide Interoperability for Microwave Access (WiMAX), 340

World Wide Web (WWW), 17–22, 22–30

worm, 53, 121

WPA, version 2 (WPA2), 67

WPA, version 3 (WPA3), 67

X

Xanadu, 14

XML attribute blowup, 183–184

XML entity expansion, 184

XML external entities, 184

XML injection, 184

XML Path (XPath) language, 179

XPath injection attacks, 179

XQuery injection, 180

Z

zero-day malware, 54

ZigBee, 354

Z-Wave, 354