Index
Note: Page numbers followed by f indicate figures and t indicate tables.
A
Abstractions layer
256–257
Access control software fault cluster
180–181, 181f
Action element
250, 251, 255–256, 271–272, 277, 278f
Action package
256
Acquisition
79, 105, 106, 107, 166–167
Aggregated relationship
269–270, 274, 279–281, 294
Aggregation
219–220
Agreement processes
105
Airport luggage screening example
191–193
Analysis
complexity of
5–6, 7, 84
soundness of
64f, 72, 84, 267, 283–284
system analysis
43–44, 45, 85–86, 104, 195, 196
Application code
10, 59, 97, 98–99, 153, 154, 154f, 155, 171–172, 174–175
see alsoBinary code; Source code
Architectural design process
107
Architecture
26, 90
security analysis
54, 63–77, 65f
see alsoSystem architecture
Argument
38, 39–40
defense-in-depth argument
65
structure of
41–42
vocabulary
228
see alsoAssurance argument
Artifacts
7–8, 13, 32, 59, 260, 274
Assets
114–116
characteristics of
121–122
security requirements
122–123
sensitivity of
116, 122
tangible and intangible assets
121
value of
121
vocabulary
120–121
Assumptions
28, 38, 39, 42t, 145, 145t
Assurance
16–17, 36
continuous
52–53
goal-based
25
goals of
62f, 63f, 64f, 65f
in system life cycle
49–52
nature of
31–42
of threat identification
145
process-based
25, 104
see alsoSystem assurance
Assurance argument
60
asset argument
228, 228t
countermeasure argument
144
development
54, 60–62
entry point argument
142–143, 228, 228t
initial
49–50
injury argument
142
layered defense argument
228
security requirement argument
144–145
supporting facts
228t
threat argument
143
threat event argument
228, 228t
vulnerability argument
144
Assurance case
36–42, 106
case study
330–336
contents of
38–41
assurance arguments
39–40
assurance claims
39
assurance evidence
40–41
delivery
55, 78–80
evidence for
36f
analysis
54–55, 78, 79f
collection
54
Project Assurance Case
49–50
System Assurance Case
50–51, 52, 100–101, 104, 259
see alsoAssurance argument
Assurance content
201–203
Assurance project
54, 55–56, 57, 58–60
Attacks
112, 132–133
cyberattack components
115f
direct and indirect attack
115f
multi-stage
115f, 116
pattern
140
scenario
126–127, 140
Authentication software cluster
179–180, 179f
Availability
122–123
related injuries
129
B
Behavior viewpoint
297–299, 299f, 300f
Binary code
8–9, 70, 72, 141, 155, 172, 213, 260
Black cat example
23–31
Black-box testing
8, 11–12
BORO methodology
119–120, 206
Boundaries
55–56, 82–84, 85f
limits of resolution
84–85
Buffer overflow
151–152
Bugtraq
164
Build views
263–264, 265f
Business model
235
C
Call-backs
10, 98–99, 256, 267, 285f, 286
Case study
301–302
assurance case
330–336
building the integrated system model
319–327
baseline system model
319–322
system architecture facts
322–327
business vocabulary and security policy
308–319
Concept of operations (CONOP)
302–308
executive summary
302–303
external dependencies
306
external security notes
308
implementation assumptions
306
interfaces with other systems
307
internal security notes
308
locations
303
operational authority
303
purpose
303
security assumptions
307–308
system architecture
304–306
system assumptions
306
mapping cybersecurity facts to system facts
327–330
Characteristics
213–214
discernable
24
essential
24, 242, 243
Checklist, as machine-readable content
17, 140, 166–167, 168t, 230, 330
Claims
38, 39
assurance argument development
60, 61
case study
330–336
safeguard effectiveness claim
39, 61, 66, 77, 75–76, 141–142, 145t
Code package
255
Code Red worm
152
Code views
272–282, 275f, 276f, 277f, 278f, 279f, 280f
elements of behavior
277–281
elements of structure
274–277
Coding assessment
171
Common Criteria (CC)
Evaluation Assurance Levels
45
cost of
46, 46f
Evaluation Assurance Process
45
Common Fact Model
229f
automatic derivation of facts
219–220
characteristics
213–214
fact-oriented integration
218
individual concepts
211–212, 211f
information exchange protocols
206–208
design criteria
204–205
trade-offs
205–206
information exchanges and assurance
217–218
noun concepts
209–210, 210f
objectives
203–204
objects
208–209, 208f, 209f
existential facts
210–211, 211f
relations between concepts
212
representation of facts
220–226
common schema
226–227
using Prolog
225–226
using XML
220–225
situational concepts
214–216, 214f, 215f
System Assurance facts
227–231
verb concepts
212–213, 212f
viewpoints and views
216–217, 216f
see alsoOMG Software Assurance Ecosystem
Common language
18–20
Common vocabulary
18–20, 67–68, 202
building process
207f, 206
design criteria
204–205
clarity
204
coherence
204
extendibility
205
minimal conceptual commitment
205
minimal encoding bias
205
trade-offs
205–206
for risk analysis
119–121
assets
120–121
attacks
132–133
injury and impact
128–130
safeguards
135–136
threats and hazards
123–127, 130–131, 132–133
vulnerabilities
133–135
Common Vulnerabilities and Exposures (CVE)
167t, 168, 169f, 170
Common Vulnerability Scoring System (CVSS)
99
Common Warehouse Metamodel (CWM)
256
Common Weakness Enumeration (CWE)
174–175
see alsoSoftware fault patterns (SFPs)
Complexity
7
Component-level assessment
171–172
Computation
10–11, 98–99, 175–178
condition
176, 177–178, 178f
context
99f
pattern rule
175–186
Computer Emergency Response Team (CERT)
Coordination Center (CERT/CC)
151
US-CERT vulnerability database
157–161, 158f
Concept of operations (CONOP)
59, 60, 98
case study
302–308
Concepts
definitions of new concepts
240–241
individual concepts
211–212, 211f
primary representation
238–239
relations between
212
situational concepts
214–216, 214f, 215f
see alsoNoun concepts; Verb concepts
Conceptual commitment
18, 85–87, 205, 233–234
Conceptualization
19–20, 205, 233–234
Conceptual package
257
Conceptual schema
223, 229, 237, 308–319
Conceptual view
295–299, 298f, 299f, 300f
Confidence
45
building
78, 79–80
economics of
45–46
as product
45
Confidentiality
122–123
related injuries
129
Context
38
Control flow
98–99, 277, 278f, 279, 279f
Core package
254–255
Correction of vulnerability
164
Correctness
41
Countermeasures
30, 31
argument
144
Creation of vulnerability
164
Cyber-warfare
1–2
Cybersecurity
elements
114–119
assets
114–116
impact
116
risks
119
safeguards
117–118
threats
116–117
vulnerabilities
118–119
justifiable cybersecurity
111–112
knowledge
17, 112–113
sharing of
17, 18f, 112–113
see alsoSecurity Assessment
D
Data flow
74–76, 97, 98, 177–178
Data Flow Diagram (DFD)
75f, 76f, 77f
Data flow viewpoint
96
Data package
256
Data views
264–270, 267f, 268f, 269f, 270f
Databases
156–163, 157t
Open Source Vulnerability Database (OSVDB)
161–163, 162f
US-CERT
157–161, 158f
Death of vulnerability
165
Default password
155
Defense
14–17
challenges
4–12
layered defense
16
Defense Enterprise Architecture interoperability project
119–120
Defense-in-depth argument
65
Definition, in SBVR
246
Department of Defense Architecture Framework (DODAF)
90–92, 90f, 91t, 93t
Designation, in SBVR
246, 247
Development
seeSystem development
Direct attack
115f
Disclosure of vulnerability
164
publicity
165
Discovery of vulnerability
164
Disposal process
108
Documentation, out-of-date
7
Dynamic testing
seeBlack-box testing
E
Effectiveness
41
Encoding bias
205
Engineering
35, 36
see alsoSecurity engineering
Engineering artifacts
32
see alsoArtifacts
Enterprise management
105
Enterprise processes
105
Entry points
67, 142–143, 201
Event
94
threat event
128, 130–131, 142
Event package
256
Event Trace viewpoint
96
Event views
288–292, 291f, 292f
Evidence
16, 103–104
analysis
54–55, 78, 79f
collection
54
evaluation evidence
104
for assurance case
36f, 38, 40–41
process-based
50, 61, 78, 103
product-based
50, 61, 78, 104
support for cybersecurity arguments
228t
system life cycle evidence
103
see alsoCommon Fact Model
Executive summary, case study
302–303
Existential facts
210–211, 211f
Existing system
4–5, 6, 7, 127, 254, 260
Exploitation of vulnerability
165
Exposure
155
Expression, in SBVR
247
Extension, in SBVR
247
F
Fact
argument
228
asset
227, 228
countermeasure
135–136, 228, 228t
entry point
84, 228, 228t
evidence
228, 228t
existential
210–211
operational
318–319
in SBVR
244
threat agent
130–131, 228t
threat event
130–131, 153, 228t, 328
vulnerability
66, 133–135, 156, 158–159
Fact models
234
vs. linguistic models
234–235, 234f
see alsoCommon Fact Model
Fact-oriented approach
53, 66–67, 191, 202–203, 208, 225–226
Fact-oriented integration
218
Failure Modes, Effects and Analysis
152
False negatives
10, 12
False positives
10, 12
elimination
71
Fault Tree Analysis Method
152
Faulty computations
178
Federal Desktop Core Configuration (FDCC)
166–167
G
Goal-based assurance
25
Goal-Structuring Notation (GSN)
41, 42t
H
Hackers
3–4
knowledge sharing
3–4
Hazard
123–127
causal factors
125, 126f
components of
123–124, 124f, 125
see alsoThreats
Hazard statement
124, 124f
Hazardous element (HE)
124
Hierarchies
87, 88, 89
Home security example
83–84, 148–150
Horizontal traceability link
73–74, 87, 256–257, 258–259
I
Impact
116, 130f
vocabulary
128–130
Implementation and Integration
50
Implementation process
107
Incident components
34, 34f
Indirect attack
115f
Individual concepts
211–212, 211f
Information element
94
Information exchange
94
needline
93
NIST SCAP ecosystem
166–170
OMG Assurance Ecosystem participants
194f, 202–203
see alsoOMG Software Assurance Ecosystem
protocols
206–208
design criteria
204–205
Information flow
44f
Information leak
182–183
Information system
82
Infrastructure layer
254–255
Initiating mechanism (IM)
124
Injury
128–130, 130f, 142
argument
142
vocabulary
128–130, 228
Inquiry into Cyber Crime
1
Intangible assets
121
Integrated system model
89, 89f, 108, 141, 258f
case study
319–327
KDM as foundation for
256–259
see alsoSystem model
Integration process
107
fact-oriented integration
218
Integrity
122–123
related injuries
129
International Security Engineering Association (ISSEA)
31–32
Inventory package
254–255, 260
Inventory views
260–263, 262f, 263f
vocabulary in SBVR
261–263
J
Justifiable cybersecurity
111–112
Justification
25, 42t
see alsoArgument
K
Key state questions
140
Knowledge
concrete knowledge
194
cybersecurity knowledge
17, 112–113
exchange
18, 194, 194f
export
197, 207, 320–321
extraction
59, 60, 259, 320–321
extractor
60
general knowledge
194
import
60, 196, 203, 259, 301, 321–322
integration
60, 66, 168–170, 196–197, 198, 218, 327
refinery
197, 330
sharing
18f, 20, 71, 168, 191, 197, 205, 332
system knowledge
95–98
Knowledge Discovery Metamodel (KDM)
175, 175f, 228, 253–254
abstractions layer
256–257
action element
250, 251, 255–256, 271–272, 277, 278f
action package
256
architecture analysis
292–299
Behavior viewpoint
297–299, 299f, 300f
Conceptual view
295–299, 298f, 299f, 300f
Linguistic viewpoint
297f, 298f
Structure views
292–295, 294f
code package
255
conceptual package
257
core package
254–255
data package
256
discovering baseline system facts
260–292
Build views
263–264, 265f
Code views
272–282, 275f, 276f, 277f, 278f, 279f, 280f
Data views
264–270, 267f, 268f, 269f, 270f
Event views
288–292, 291f, 292f
Inventory views
260–263, 262f, 263f
micro KDM action elements
281–282, 281f
Platform views
282–288, 284f, 285f, 286f, 287f, 288f, 289f
User Interface (UI) views
270–272, 271f, 272f, 273f
event package
256
infrastructure layer
254–255
inventory package
254–255, 260
platform package
256
process of discovering system facts
257–259
program elements layer
255–256
resource layer
256
source package
260
structure package
257
vocabulary organization
254–257, 255f
Abstractions layer
256–257
Infrastructure layer
254–255
Program Elements layer
255–256
Resource layer
256
Knowledge sharing
by hackers
3–4
common vocabulary
18–20
cybersecurity knowledge
17, 18f, 112–113
see alsoInformation exchange
L
Legacy software systems
6
Linguistic models
18–20, 233–235
vs. fact models
234–235, 234f
Linguistic viewpoint
297f, 298f
Location
23–31
of vulnerability
155
Luggage screening example
191–193
M
Machine-readable artifacts
72–73
see alsoArtifacts
Malware
2, 4
Memory access software faults
184–185
Memory management software faults
184
Meta-Object Facility (MOF)
254–255
Micro KDM action elements
281–282, 281f
Mishaps
123, 125–126
mishap probability factor
125
mishap severity factor
125
MITRE Corporation
167t, 168t, 170
Common Weakness Enumeration (CWE) project
174–175
Model Driven Architecture (MDA)
8
Morris worm
151–152, 156
N
National Checklist Program (NCP)
166–167
National Defense Industrial Association (NDIA)
16
National Institute for Standards and Technology (NIST)
82
Common Vulnerability Scoring System (CVSS)
99
Security Content Automation Protocol (SCAP) ecosystem
165–170, 167t, 168t, 169f, 172–173
information exchanges
166–170, 169f
overview of system
166
potential expansion
172–173, 173f
National Security Agency (NSA)
82
Network
82
see alsoSystem
Network configuration
98–100, 99f
Network Rating Methodology
82
Network security testing tools
11–12
Noun concepts
209–210, 210f
Behavior viewpoint
299f
Build viewpoint
265f
Code viewpoint
275, 275f, 276f, 277, 278f
Conceptual viewpoint
299f
Data viewpoint
266, 267f
definition of
240
discernable
19–20, 24, 39, 40, 86–87, 139, 178–179, 206, 208
elementary meanings
241, 241f
Event viewpoint
290, 291f
Inventory viewpoint
261–262, 262f
Linguistic viewpoint
297f
Platform viewpoint
284f, 287, 287f
primary representation
239
representations
245, 245f
Structure viewpoint
294f
User Interface (UI) viewpoint
271f
Noun form, in SBVR
246–247
Nuts and bolts example
208–218, 219–220
O
Objects
208–209, 208f, 209f
existential facts
210–211, 211f
Off-the-shelf system components
70
Off-the-shelf vulnerabilities
70
OMG Software Assurance Ecosystem
17, 193–199
end-to-end solution provision
198, 199f
interface provision
198, 199f
knowledge exchange between participants
194f, 202–203
knowledge-driven integration
198, 198f
protocols
198, 202–203
bridging protocol
197–198
concrete knowledge discovery protocol
195–196
content import protocol
196
general knowledge protocol
195
integration protocol
196–197
knowledge creation protocol
197
knowledge delivery protocols
195
knowledge refinery protocol
197
knowledge sharing protocol
197
SBVR use
235–236
system analysis protocols
195
see alsoCommon Fact Model
Open Source Vulnerability Database (OSVDB)
161–163, 162f
Operation and maintenance process
108
Operational activity
94
Operational fact
318–319
Operational node
93
Operational Security Service
50
Operational views and viewpoints
93, 94f, 95f
Operational vocabulary
235, 318–319
Outsourcing issues
5
P
Packet injection techniques
11
Path resolution software faults
185
Penetration testing
12, 71, 112
Platform package
256
Platform views
282–288, 284f, 285f, 286f, 287f, 288f, 289f
Policy
68
case study
308–319
compliance assessment
172
Preliminary System Assessment (PSA)
50–51, 144–145
Privilege software fault cluster
181–182, 182f
Process-based assurance
25, 104
Program elements layer
255–256
Project Assurance Case development
49–50
Project definition
54, 55–58, 56f, 106
Project management processes
105, 106
Project preparation
54, 58–60
Prolog, representation of facts
225–226
Properties
213–214
Proposition, in SBVR
244
Protocols
for exchanging patterns
235, 235–236
for exchanging system facts
253–254
for exchanging vocabularies
235
information exchange protocols
206–208
design criteria
204–205
trade-offs
205–206
noncompliance with
6
standard protocols
202
Q
Question
244–245
R
Rapid Application Development (RAD)
8
Reference scheme, in SBVR
210–211, 247–248, 249f
Repository, fact-based
53, 66–67, 71, 86–87, 139, 176, 191, 195, 196–197, 196, 257, 319, 324, 326, 332–335
Requirements analysis process
107
Resolution
84
Resource
100, 282, 283, 321
Resource Description Framework
254–255
Resource layer
256
Risk
119
vocabulary
136–139
Risk assessment
15–16, 33–34, 111–114
common vocabulary
119–121
difficulties
5
risk analysis
44, 54–55, 119, 139, 330
Risk management
33, 34
Role, in SBVR
243
Rules viewpoint
97
Runtime platform
100, 100f
S
Safeguards
117–118, 137f, 178
effectiveness claim
39, 61, 66, 77, 75–76, 141–142, 145t
footholds
178
identification of
66, 68, 69f
software fault pattern clusters
179–182
access control
180–181, 181f
authentication
179–180, 179f
privilege
181–182, 182f
vocabulary
135–136
Script kiddies
3–4
Scripting
165
Security assessment
50, 171–174
component-level assessment
171–172
policy compliance assessment
172
Preliminary System Assessment (PSA)
50–51, 144–145
secure coding assessment
171
security architecture assessment
172
System Security Assessment (SSA)
50–51, 144–145
Threats and Risk Assessment (TRA)
50, 144–145
see alsoCybersecurity
Security Content Automation Protocol (SCAP)
seeNational Institute for Standards and Technology (NIST)
Security controls
50, 102–104, 172
Security engineering
14–15, 31–32
Security Information Provider
156
Security Management Plan
50
Security objectives
38
Security posture
14, 15–16, 100–101
analysis
66, 73–77
Security requirements
122–123, 144–145
Semantics of Business Vocabularies and Business Rules (SBVR)
235–236
case study
308–319
overview
236–237, 236f
reference schemes
247–248, 249f
semantic formulations
248–252
defining new terms and fact types
250–252
use of
237–241
definitions of new concepts
240–241
simple vocabulary
237–238
statements
239–241
vocabulary entries
238–239
vocabularies
for describing elementary meanings
241–245, 241f, 243f
for describing extensions
247, 248f
for describing representation
245–247
Sensitivity, of assets
116, 122
Sentential form, in SBVR
246
Service
95, 121
Signifier, in SBVR
247
Situational concepts
214–216, 214f, 215f
Sniffing techniques
11, 12
Software
assurance
seeSystem Assurance
fault patterns
71
legacy systems
6
Software Assurance Evidence Metamodel
226
Software Engineering Institute (SEI)
151
Software fault patterns (SFPs)
175–186
conceptual model
176, 177f
direct impact category
182–186
information leak
182–183
memory access
184–185
memory management
184
path resolution
185
tainted input
185–186
logical model
176–177, 177f
safeguard category
179–182
access control cluster
180–181, 181f
authentication cluster
179–180, 179f
privilege cluster
181–182, 182f
weakness definition
177–178, 178f
Source package
seeInventory package, in KDM
Speech community
214
SQL Slammer worm
152
Stakeholder requirements definition process
106
Standard protocols
202
Standard vocabulary
18–19
Standards, noncompliance with
6
State
94, 97
key state questions
140
State of Affairs
247
State transition
97
State variables
97
Statement of Work (SOW)
54, 57
Statements
239–240
as formal definitions of new concepts
240–241
Static analysis
8–9, 70, 71, 260, 281–282
Structure package
257
Structure views
96, 292–295, 294f
Supply chain
104–105
issues
5
System
81–82
boundaries
55–56, 82–84, 85f
components
66–67
off-the-shelf
70, 156
conceptual commitment for system descriptions
85–87
description levels
228–229
elements
83f, 87, 88–89, 93–95
entry points
67
function
67, 95
item
95
knowledge, multiple viewpoints and
95–98
limits of resolution
84–85
node
95, 99
policy
68
vocabulary
67–68
validation
68
System architecture
87–90
architectural design process
107
architecture security analysis
54, 63–77, 65f
definition
90
framework example
90–92
System artifacts
59
see alsoArtifacts
System assessment
limitations
7–8
objectives of
56
Preliminary System Assessment (PSA)
50–51, 144–145
rigor of
57
scope of
56
see alsoAnalysis
System Assurance
12, 16, 17, 32
assurance case
36–42
process
43–46, 52–80, 53f
confidence production
45
strategies
141–145
entry point argument
142–143
injury argument
142
security requirement argument
144–145
threat argument
143
vulnerability argument
144
system engineering relationship
32–36, 34f
see alsoAssurance
System development
processes
8
trends
5–6
System life cycle
88, 100–108, 109f
assurance in
49–52
enabling systems
102–104, 103f
evidence
103
processes
51f, 105–108
stages
101–102, 101t
vulnerabilities and
152–154, 154f
supply chain
104–105
System model
59
adding facts
60
baseline
59
validation
60
see alsoIntegrated System Model
System Security Assessment (SSA)
50–51, 144–145
System Security Engineering Capability Maturity Model (SSE-CMM)
33
System views and viewpoints
94, 95f
T
Tainted input software faults
185–186
Tangible assets
121
Target and Threat (T/T)
124
Taxonomy
20
Team preparation
58
Technical processes
105, 106–108
ThreadPoolExecutor
321
Threat and Risk Assessment (TRA)
50, 144–145
Threats
112, 116–117, 127f, 132f, 137f, 201–202
identification
66, 68, 69f
assurance of
145
systematic process
139–141
level of threat
113–114
malware threat
2
scenarios
132–133
threat activity
130–131, 132f
threat agent
130–131, 132f
threat agent category
130–131, 132f
threat argument
143
threat class
130–131, 132f, 143
threat event
128, 130–131, 142
vocabulary
123–127, 130–131
Traceability
gap
8, 229
issues
7
link horizontal
73–74, 87, 256–257, 258–259, 328
Transfer into operation
50
Transition process
107
U
Uncertainty factor
14
Undesired event
128
US-CERT vulnerability database
157–161, 158f
User Interface (UI) package
256
User Interface (UI) views
270–272, 271f, 272f, 273f
V
Validation
15–16
process
108
system facts
68
system model
60
vulnerability detection coverage
71
Value, of assets
121
Verb concepts
212–213, 212f, 215–216
Behavior viewpoint
299f
Build viewpoint
265f
Code viewpoint
276, 276f, 277, 278f, 280f
Conceptual viewpoint
299f
Data viewpoint
266–267, 268f
definition of
240–241
elementary meanings
243, 243f
Event viewpoint
290, 291f
Inventory viewpoint
262–263, 263f
Linguistic viewpoint
298f
Platform viewpoint
284f, 287f
primary representation
239
Structure viewpoint
294f
User Interface (UI) viewpoint
272f
Verification
15–16
process
107
Views and viewpoints
90, 97f, 216–217, 216f
architecture framework example
90–92
in KDM
Behavior viewpoint
297–299, 299f, 300f
Build views
263–264, 265f
Code views
272–282, 275f, 276f, 277f, 278f, 279f, 280f
Conceptual view
295–299, 298f, 299f, 300f
Data views
264–270, 267f, 268f, 269f, 270f
Event views
288–292, 291f, 292f
Inventory views
260–263, 262f, 263f
Linguistic viewpoint
297f, 298f
Platform views
282–288, 284f, 285f, 286f, 287f, 288f, 289f
Structure views
292–295, 294f
UI views
270–272, 271f, 272f, 273f
operational views and viewpoints
93, 94f, 95f
system knowledge and
95–98
system views and viewpoints
94, 95f
Vulnerabilities
3, 14, 34, 118–119, 202
analyzer tool
174
concept of vulnerability
148–150
databases
156–163, 157t
National Vulnerability Database (NVD)
160, 167t, 170
Open Source Vulnerability Database (OSVDB)
161–163, 162f
US-CERT
157–161, 158f
discernable
147, 147
disclosure
164
enumeration of
154–156
findings
71, 72–73, 261
history of
150–152, 150t
knowledge
14, 156, 156, 165–166, 165, 191
management
165–166, 168, 170, 172–173
off-the-shelf vulnerabilities
70
organizational
153–154
researcher
163, 174, 173
scanner tool
168–170, 173, 174, 196
system life cycle and
152–154, 154f
technology related
153–154
unmitigated threats as
147, 147
vocabulary
133–135
vulnerability argument
144
Vulnerability assessment
13
issues
8–11
lack of complete system coverage
8
production of false positives and false negatives
10, 12
Vulnerability detection
31, 66, 69–73, 70f
architecture security analysis
63–77
automated
72–73
black-box testing
11–12
coverage validation
71
tools
71
white-box testing
8–9
Vulnerability life cycle
163–165
correction
164
creation
164
death
165
disclosure
164
discovery
164
exploitation
165
publicity
165
scripting
165
Vulnerability market
73
Vulnerability patterns
174–175, 175f
software fault patterns, (SFPs)
175–186
W
White-box testing
8–9
lack of complete system coverage
8
production of false positives and false negatives
10
X
XML technology
208, 214
representation of facts
220–225
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.48.161