Software Security: Building Security In

Index

[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z]

Taint analysis

Taxonomy of coding errors

     19 Deadly Sins ... 2nd

     attack classes

     hierarchy of

     "OWASP Top Ten ... Vulnerabilities," 2nd

     PLOVER (Preliminary List of Vulnerability Examples for Researchers)

     versus taxonomy of attack patterns

Taxonomy of coding errors, kingdoms

    API Abuse

         description

         example

         phyla

     Code Quality 2nd

         description

         example

         phyla

     definition

     Encapsulation 2nd

         description

         example

         phyla

     Environment 2nd

         description

         example

         phyla

     Error Handling 2nd

         description

         example

         phyla

     Input Validation and Representation 2nd

         description

         example

         phyla

     mapped to "OWASP Top Ten ... Vulnerabilities,"

     mapped to 19 Deadly Sins ...

     Security Features 2nd

         description

         example

         phyla

     summary list of

     Time and State 2nd

         description

         example

         phyla

Taxonomy of coding errors, phyla

     API Abuse Kingdom

     ASP.NET Misconfiguration

     Authentication 2nd

     Buffer Overflow

     Catch NullPointerException

     Code Quality Kingdom

     Command Injection

     Comparing Classes by Name

     Creating Debug Binary

     Cross-Site Scripting

     Dangerous Functions

     Data Leaking Between Users

     Deadlock

     definition

     Directory Restriction

     Double Free

     Duplicate Validation Forms

     Empty Catch Block

     Empty Password in Configuration File

     encapsulation kingdom

     Environment kingdom

     Erroneous validate() Method

     Error Handling kingdom

     Exception Handling

     Failure to Begin a New Session ...

     File Access Race Condition

     Form Field Without Validator

     Format String

     getConnection() method

     Hard-Coded Passwords

     Heap Inspection

     HTTP Response Splitting

     Illegal Pointer Value

     Inconsistent Implementations

     Input Validation And Representation kingdom

     Insecure Compiler Optimization

     Insecure Randomness

     Insecure Temporary File

     Integer Overflow

     J2EE Bad Practices 2nd

     J2EE Misconfiguration

     Least Privilege Violation

     Leftover Debug Code

     Log Forging

     Memory Leaks

     Missing Access Control

     Missing Custom Error Handler

     Missing Error Handling

     Mobile Code

     need for additional

     Non-Final Public Field

     Null Dereference

     Object Highjack

     Obsolete

     Often Misused 2nd

     Overly Broad Catch Block

     Overly Broad Throws Declaration

     Password in Configuration File 2nd

     Password Management

     Path Manipulation

     Path Traversal

     Privacy Violation

     Private Array-Type Field ...

     Privilege Management

     Process Control

     Public Data Assigned ...

     Race Condition

     Resource Injection

     Security Features kingdom

     Setting Manipulation

     Signal Handling Race Conditions

     Sockets

     SQL Injection

     String Manipulation

     String Termination Error

     Struts

     System Information Leak

     System.exit()

     Threads

     Time And State kingdom

     TOCTOU (time-of-check-time-of-use)

     Trust Boundary Violation

     Unchecked Return Value 2nd

     Undefined Behavior

     Uninitialized Variable

     Unreleased Resource

     Unsafe Bean Declaration

     Unsafe JNI

     Unsafe Reflection

     Unused Validation Form

     Unvalidated Action Form

     Use After Free

     Use Of Inner Class

     Validation Class Not Extended

     Validator Turned Off

     Validator Without Form Field

     Weak Access Permissions

     Weak Cryptography

     XML Validation

Taxonomy of vulnerabilities

Teams. [See Security professionals.]

Tent example

"Test-driven" design

Testing. [See Penetration testing; Risk-based security testing.]

Think like a bad guy. [See Black hat activities.]

Threads phylum

Threat modeling versus risk analysis

Threats, architectural risk analysis

Three pillars. [See Pillars of software security.]

Time and State vulnerability kingdom 2nd

Time as essential issue

Timing, risk-based security testing

TOCTOU (time-of-check-time-of-use) 2nd 3rd

Tools

     characteristics of

    code review. [See Code review, tools.]

    commercial vendors. [See Commercial source code analysis tool vendors.]

     Nessus

    penetration testing

         APISPY32

         breakpoint setters

         CANVAS

         Cenzic

         control flow

         coverage

         decompilers

         disassemblers

         fault injection

         Hailstorm

         Holodeck

         rootkits

         shell code

     port scanning

     problems with

Touchpoints [See also specific touchpoints]

     as best practices 2nd

     black hat activities

     constructive activities

     destructive activities

     example

     list of

         abuse cases

         architectural risk analysis

         code review

         penetration testing

         risk-based security testing

         security operations

     order of effectiveness

     overview

     sequence of

     timing in the lifecycle

     white hat activities

Training without assessment

Training, academic courses

Training, software security

Trinity of trouble

     complexity

     connectivity

     extensibility

Trust Boundary Violation phylum

Trustworthy Computing Initiative

Related

Категории