Index

A

• Address Space Layout Randomization (ASLR) / Release gate examples
• Android security testing / Android security testing
• Apache Metron / Apache Metron
• Application Security Verification Standard (ASVS) / Security requirements, Secure design, Web security testing
• attribute-based access control (ABAC) / Data governance – Apache Ranger and Atlas
• automation testing
  • criteria / Automation testing criteria

B

• BDD security framework / BDD security framework
• behavior-driven security testing
  • framework / Behavior-driven security testing framework
• big data
  • used, for security requisites / Security requirements for big data, Big data security requirements
  • technical security frameworks / Big data technical security frameworks
• big data framework
  • used, for security analysis / Security analysis using big data frameworks
• BIOS Boot Specification (BBS) / Virtualization
• business abuses / Business fraud and abuses
• business fraud / Business fraud and abuses
• business risk detection
  • framework / Business risk detection framework

C

• card game / Card games
• case studies, General Data Protection Regulation (GDPR)
  • personal data discovery / Case 1 – personal data discovery
  • database anonymization / Case 2 – database anonymization
  • cookie consent / Case 3 – cookie consent
  • data-masking library, used, for implementation / Case 4 – data-masking library for implementation
  • website privacy status, evaluating / Case 5 – evaluating website privacy status
• Chef / Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure
• Chief Security Officer (CSO) / Security office under a CTO
• CIS Docker Benchmark / Dockers
• cloud / New technology (third-party, cloud, containers, and virtualization)
• Cloud Controls Matrix (CCM) / Cloud Security Alliance (CSA)
• Cloud Security Alliance (CSA) / Cloud Security Alliance (CSA)
• cloud services
  • hacks/abuse / Cloud services hacks/abuse
  • hacking / Case study – products on sale, What do hackers do?
  • releasing / Rapid release
• cloud service security architecture reference / Cloud service security architecture reference
• code review
  • automating, with IDE plugins / IDE plugins to automate the code review
• command-line interface (CLI) / Automation testing criteria
• Common Attack Pattern Enumeration and Classification (CAPEC)
  • URL / Threat assessment
  • about / Threat modeling with STRIDE
• Common Vulnerabilities and Exposures (CVE) / Virtualization
• Common Vulnerability Scoring System (CVSS)
  • about / Release gate examples, Common Vulnerability Scoring System (CVSS)
  • Attack Vector (AV) / Common Vulnerability Scoring System (CVSS)
  • Attack Complexity (AC) / Common Vulnerability Scoring System (CVSS)
  • Privileges Required (PP) / Common Vulnerability Scoring System (CVSS)
  • User Interaction (UI) / Common Vulnerability Scoring System (CVSS)
  • Scope (S) / Common Vulnerability Scoring System (CVSS)
  • Confidentiality (C) / Common Vulnerability Scoring System (CVSS)
  • Integrity (I) / Common Vulnerability Scoring System (CVSS)
  • Availability (A) / Common Vulnerability Scoring System (CVSS)
• components, security monitoring
  • log collector / Security monitoring framework
  • security monitoring (SIEM) / Security monitoring framework
  • threat intelligence / Security monitoring framework
  • threat intelligence feeds / Security monitoring framework
• confidentiality, integrity, and availability (CIA) / Detection and analysis
• Consensus Assessments Initiative Questionnaire (CAIQ) / Cloud Security Alliance (CSA)
• containers / New technology (third-party, cloud, containers, and virtualization)
• Continuous Delivery (CD) / Baking security into DevOps
• continuous integration
  • security / Security in continuous integration
• Continuous Integration (CI) / Baking security into DevOps
• cryptographic modules / Cryptographic modules
• Cyber Analytics Platform and Examination System (CAPES)
  • reference link / Security analysis using big data frameworks

D

• Data Execution Prevention (DEP) / Release gate examples
• data governance / Data governance – Apache Ranger and Atlas
• data masking / Data masking
• Data Security Standard (DSS) / PCI DSS compliance
• dependency check / Dependency check
• design review / Design review
• development
  • security practices / Security practices in development
• development goal/metrics
  • about / Development goal/metrics
  • threat assessment / Threat assessment
  • threat assessment, for GDPR / Threat assessment for GDPR
  • deliverables / Deliverables and development team self-assessment
  • self-assessment team / Deliverables and development team self-assessment
  • security requisites / Security requirements
• DevSecOps
  • used, for security management / DevSecOps for security management 
  • used, for development team / DevSecOps for the development team 
  • used, for testing team / DevSecOps for the testing team
  • used, for operations team / DevSecOps for the operations team
• diagram designer tool / Diagram designer tool
• Dockers / Dockers
• Docker security
  • about / Dockers
  • scanning / Docker security scanning
• Dynamic Application Security Testing (DAST) / High-risk module review

E

• Elasticsearch, Logstash, Kibana (ELK) / Security analysis using big data frameworks
• Elevation of Privilege (EoP) card game
  • URL / Threat assessment
• Environmental Score / Common Vulnerability Scoring System (CVSS)
• environment hardening
  • about / Environment Hardening
  • secure configuration baseline / Secure configuration baseline
  • constant monitoring mechanism / Constant monitoring mechanism
• European Economic Area (EEA) / GDPR security requirement

F

• Fast Incident Response (FIR) / DevSecOps for the operations team
• Federal Information Processing Standards (FIPS) / Federal Information Processing Standards (FIPS)
• functional / Case study – a matrix, functional, or taskforce structure

G

• General Data Protection Regulation (GDPR)
  • about / Organization goal
  • used, for privacy requisites / Privacy requirements for GDPR
  • Privacy Impact Assessment (PIA) / Privacy Impact Assessment (PIA)
  • Privacy Data Attributes / Privacy data attributes
  • data flow assessment, example / Example of a data flow assessment
  • security requisites, for data processor / GDPR security requirements for data processor and controller
  • security requisites, for data controller / GDPR security requirements for data processor and controller
  • security requisites / GDPR security requirement
  • case studies / Case studies
• Google Vendor Security Assessment Questionnaires (VSAQ) / Cloud Security Alliance (CSA)

H

• high-risk module
  • review / High-risk module review
  • about / High-risk modules, High-risk module

I

• implementation review
  • about / Implementation review
  • third-party components / Third-party components
  • IDE-plugin code review / IDE-plugin code review
  • static code review / Static code review
  • target code review / Target code review
• incident forensics
  • techniques / Incident forensics techniques
• indicators of compromise (IOC) / Security monitoring framework
• Indicators of Compromises (IoC) / Indicators of compromises
• information security management system (ISMS) / ISO 27001
• Infrastructure as a Service (IaaS) / Security assurance program case study
• Infrastructure as Code (IaC) / Infrastructure as Code (IaC)
• infrastructure configuration
  • securing / Securing infrastructure configuration
• input validation / Input validation and sanitization
• integrated security
  • tools / Integrated security tools
• ISO 27001 / ISO 27001
• issue management / Issue management

J

• Java struts security review
  • about / Case study – Java struts security review
  • approaches / Struts security review approaches
  • checklist / Struts security checklist
• Java struts security string
  • searching, in struts.xml / Struts security strings search in struts.xml and API
  • searching, in API / Struts security strings search in struts.xml and API
• Java web security framework / Java web security framework
• Jenkins
  • security automation / Security automation in Jenkins

L

• Linux Malware Detect (LMD) / DevSecOps for the operations team
• log collector / Security monitoring framework
• logging policy / Logging policy
• login protection / Login protection

M

• Malware Information Sharing Platform (MISP) / TheHive , MISP – an Open Source Threat Intelligence Platform
• manual code review
  • tools / Manual code review tools
• matrix / Case study – a matrix, functional, or taskforce structure
• Microsoft SAMM / Microsoft SDL and SAMM
• Microsoft SDL / Microsoft SDL and SAMM
• Microsoft SDL threat modeling tool
  • URL / Threat assessment
• Mobile Application Security Verification Standard (MASVS) / Secure design
• Mobile Security Testing Guide (MSTG)
  • reference link / Security testing
  • about / DevSecOps for the testing team

N

• National Checklist Program (NCP)
  • about / Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure, Securing infrastructure configuration
  • repository / National Checklist Program (NCP) repository

O

• Object Access Control (OACC) / Web security frameworks
• Offensive Web Testing Framework (OWTF) / Integrated security tools, DevSecOps for the testing team
• OpenSCAP / OpenSCAP tools
• Open Security Architecture (OSA) / Cloud service security architecture reference
• Open Web Application Security Project (OWASP) / Organization goal, Security-testing knowledge kit, Web security testing
• operational enablement
  • about / Operational enablement
  • code signing, for application deployment / Code signing for application deployment
  • application communication ports matrix / Application communication ports matrix
  • application configuration / Application configurations
• operation goal/metrics
  • about / Operation goal/metrics
  • issue management / Issue management
  • environment hardening / Environment Hardening
  • operational enablement / Operational enablement
• organization goal
  • about / Organization goal
  • strategy and metrics / Organization goal, Strategy and metrics
  • policy and compliance / Organization goal, Policy and compliance
  • education and guidance / Organization goal, Education and guidance
• OWASP Application Security Verification Standard (ASVS) / Security requirements for web applications, OWASP Application Security Verification Standard (ASVS)
• OWASP Code Review Project
  • reference link / Target code review
• OWASP Cornucopia
  • URL / Threat assessment
  • security areas / Card games
• OWASP SAMM / OWASP SAMM
• OWASP Security Knowledge Framework (SKF)
  • about / Security knowledge portal
  • URL, for downloading / Security knowledge portal
• OWASP threat modeling cheat sheet
  • URL / Threat assessment

P

• PCI DSS compliance
  • about / PCI DSS compliance
  • references / PCI DSS compliance
• Personally Identifiable Information (PII) / ISO 27017 and ISO 27018, Privacy
• PII discovery tool / Case 1 – personal data discovery
• Platform as a Service (PaaS) / Security assurance program case study
• Position Independent Executables (PIE) / Release gate examples
• privacy by design / Privacy by design
• Privacy Data Attributes / Privacy data attributes
• privacy frameworks / Summary of security and privacy frameworks 
• Privacy Impact Assessment (PIA)
  • about / Threat assessment for GDPR, Privacy requirements for GDPR, Privacy Impact Assessment (PIA)
  • reference link / Privacy requirements for GDPR
• privacy information / Privacy
• Privacy Information Assessment (PIA) / Strategy and metrics
• privacy requisites
  • for GDPR / Privacy requirements for GDPR
• proactive mode
  • web testing / Web testing in proactive/proxy mode
• proxy mode
  • web testing / Web testing in proactive/proxy mode
• Puppet / Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure

Q

• QA goal/metrics
  • about / QA goal/metrics
  • design review / Design review
  • implementation review / Implementation review
  • security testing / Security testing

R

• real-world exploits, security testing
  • exploits / Exploits and CVE
  • CVE / Exploits and CVE
  • exploit kits / Exploits and CVE
  • hacker techniques / Hacker techniques
  • malware case study / Malware Information
• release gate
  • security requisites for / Security requirements for the release gate
  • examples / Release gate examples
  • Common Vulnerability Scoring System (CVSS) / Common Vulnerability Scoring System (CVSS)
• Response Operation Collection Kit (ROCK) NSM
  • reference link / Security analysis using big data frameworks
• role-based access control (RBAC) / Data governance – Apache Ranger and Atlas

S

• sanitization / Input validation and sanitization
• secure architecture review
  • about / Secure architecture review
  • authentication / Authentication
  • authorization / Authorization
  • session management / Session management
  • data input / Data input/output
  • data output / Data input/output
• secure coding
  • about / Security technical committee (taskforce)
  • industry best practices / Secure coding industry best practices
  • awareness training / Secure coding awareness training
  • scanning tools / Secure code scanning tools
  • common issues / Common issues in practice
  • ppatterns / Secure coding patterns and keywords
  • keywords / Secure coding patterns and keywords
  • patterns / Secure coding patterns and keywords
• secure coding baselines
  • establishing / Establishing secure coding baselines
• secure compiler configuration / Secure compiler configuration
• secure compiling / Secure compiling
• secure design / Security technical committee (taskforce), Secure design
• secure testing taskforce team / Security technical committee (taskforce)
• security
  • baking, into DevOps / Baking security into DevOps
• security analysis
  • big data framework / Security analysis using big data frameworks
  • TheHive / TheHive 
  • Malware Information Sharing Platform (MISP) / MISP – an Open Source Threat Intelligence Platform
  • Apache Metron / Apache Metron
• security architecture design principles
  • about / Security architecture design principles
  • cloud service security architecture reference / Cloud service security architecture reference
• security assurance program
  • about / Security assurance program
  • Security Development Lifecycle (SDL) / SDL (Security Development Lifecycle)
  • OWASP SAMM / OWASP SAMM
  • security guidelines and processes / Security guidelines and processes
  • case study / Security assurance program case study
  • Microsoft SDL / Microsoft SDL and SAMM
  • Microsoft SAMM / Microsoft SDL and SAMM
• security automation
  • in Jenkins / Security automation in Jenkins
• security awareness / Security training and awareness
• security checklist / Security checklist and tools
• security compliance
  • about / Security compliance, Legal and security compliance
  • ISO 27001 / ISO 27001
  • ISO 27017 / ISO 27017 and ISO 27018
  • ISO 27018 / ISO 27017 and ISO 27018
  • Cloud Security Alliance (CSA) / Cloud Security Alliance (CSA)
  • Federal Information Processing Standards (FIPS) / Federal Information Processing Standards (FIPS)
  • Center for Internet Security (CIS) / Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure
  • OpenSCAP / Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure, OpenSCAP tools
  • National Checklist Program (NCP), repository / National Checklist Program (NCP) repository
• security culture / Security culture
• Security Development Lifecycle (SDL) / SDL (Security Development Lifecycle)
• security frameworks
  • about / Security framework, Summary of security and privacy frameworks 
  • Java web security framework / Java web security framework
  • non-Java web security framework / Non-Java web security frameworks
• security growth
  • with business / Security growth with business
  • security control / Stage 1 – basic security control 
  • security testing team, building / Stage 2 – building a security testing team
  • SDL activities / Stage 3 – SDL activities
  • self-build security services / Stage 4 – self-build security services
  • automation / Stage 5 – big data security analysis and automation
  • big data security analysis / Stage 5 – big data security analysis and automation
• security incident response platforms (SIRP)
  • about / Security incident response process, Security incident response platforms (SIRP)
  • preparation / Preparation
  • detection / Detection and analysis
  • analysis / Detection and analysis
  • containment / Containment and recovery
  • recovery / Containment and recovery
  • post-incident activity / Post-incident activity
• security information and event management (SIEM) / Logging policy
• security knowledge portal / Security knowledge portal
• security management
  • with DevSecOps / DevSecOps for security management 
• security monitoring
  • framework / Security monitoring framework
  • source of information / Source of information 
• security operations center (SOC) team / SOC team
• security practices
  • in development / Security practices in development
  • IDE plugins, used for automating code review / IDE plugins to automate the code review
  • static code analysis / Static code analysis
  • secure compiler configuration / Secure compiler configuration
  • dependency check / Dependency check
• security requisites
  • for release gate / Security requirements for the release gate
  • for web applications / Security requirements for web applications
  • for big data / Security requirements for big data, Big data security requirements
• security resource pool / Security resource pool
• security review policies
  • for releases / Security review policies for releases
• security scanning
  • toolset / Security scanning toolset
• security team
  • in organization / Role of a security team in an organization
  • under CTO / Security office under a CTO
  • about / Dedicated security team
  • security management / Dedicated security team
  • security testing / Dedicated security team
  • security engineering / Dedicated security team
  • security monitoring / Dedicated security team
  • security services / Dedicated security team
• security technical committee (taskforce) / Security technical committee (taskforce)
• security testing
  • knowledge kit / Security-testing knowledge kit
  • tools / Recommended security-testing tools, General security testing toolkits
  • domains / Security-testing domains
  • real-world exploits / Thinking like a hacker
  • training environment / Security-Training environment
• security testing templates
  • about / Security-testing plan templates
  • objective / Security-testing objective
  • baseline / Security-testing baseline
  • environment / Security-testing environment
  • strategy / Testing strategy
  • high-risk module / High-risk modules
• security tools / Security checklist and tools
• security training / Security training and awareness
• SEI CERT Coding Standards
  • reference link / Target code review
• Software as a Service (SaaS) / Security assurance program case study
• Software Assurance Marketplace (SWAMP) / Security testing
• Software Assurance Maturity Model (SAMM) / Organization goal
• Spoofing, Tampering, Repudiation, Information Disclosure, Destruction, Escalation (STRIDE)
  • about / Threat assessment for GDPR
  • used, for threat modeling / Threat modeling with STRIDE
• standard operation procedures (SOPs) / Security culture
• Static Application Security Testing (SAST) / Target code review
• static code analysis / Static code analysis
• strict process type / Security culture

T

• taskforce structure / Case study – a matrix, functional, or taskforce structure
• Temporal Score / Common Vulnerability Scoring System (CVSS)
• testing results
  • consolidating / Consolidated testing results
• TheHive / TheHive 
• third-party components management / Third-party component management
• third-party open source management / Third-party open source management
• threat intelligence
  • about / Security monitoring framework
  • toolset / Threat intelligence toolset
• threat intelligence feeds / Security monitoring framework
• threat libraries
  • references / Threat library references
• threat modeling
  • practices / Threat modeling practices
  • with STRIDE / Threat modeling with STRIDE
  • case study / Case study – formal documents or not?
• tools evaluation / Tool evaluation
• tools optimization / Tool optimization

U

• unknown threat
  • detecting / Unknown threat detection

V

• virtualization / New technology (third-party, cloud, containers, and virtualization), Virtualization

W

• web application firewall (WAF) / Stage 4 – self-build security services
• web applications
  • used, for security requisites / Security requirements for web applications
  • security knowledge portal / Security knowledge portal
• web automation testing
  • tips / Web automation testing tips
• web readiness
  • for privacy protection / Web readiness for privacy protection
  • TLS, for secure data transmission / Web readiness for privacy protection
  • Referrer Policy / Web readiness for privacy protection
  • Cookie Consent Disclaimer / Web readiness for privacy protection
  • HTTP Security Headers / Web readiness for privacy protection
• web security
  • testing / Web security testing
• web security framework / Web security frameworks
• web testing
  • in proactive mode / Web testing in proactive/proxy mode
  • in proxy mode / Web testing in proactive/proxy mode
• whitebox review checklist
  • about / Whitebox review checklist
  • issues / Top common issues
• whitebox review preparation
  • about / Whitebox review preparation
  • viewing / Viewing the whole project

Y

• YARA / Malware behavior matching – YARA
• Your Everyday Threat Intelligence platform (YETI)
  • reference link / MISP – an Open Source Threat Intelligence Platform