An online protocol used to determine the status of a public key certificate between a certificate authority (CA) and relying parties. OCSP responders should be capable of processing both signed and unsigned requests and should be capable of processing requests that either include or exclude the name of the relying party making the request. OCSP responders should support at least one algorithm such as RSA with padding or ECDSA for digitally signing response messages.
An attack in which an attacker performs repeated logon trials by guessing possible values of the token authenticator. Examples of attacks include dictionary attacks to guess passwords or guessing of secret tokens. A countermeasure is to use tokens that generate high entropy authenticators.
The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound basis for secure systems. Open design allows for open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of passwords and cryptographic keys, instead of secrecy in design.
A protocol defined in IETF RFC 2440 and 3156 for encrypting messages and creating certificates using public key cryptography. Most mail clients do not support OpenPGP by default; instead, third-party plug-ins can be used in conjunction with the mail clients. OpenPGP uses a “Web of trust” model for key management, which relies on users for management and control, making it unsuitable for medium- to large-scale implementations.
An environment that includes systems in which one of the following conditions holds true: (1) application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic and (2) configuration control does not provide sufficient assurance that applications are protected against the introduction of malicious logic prior to and during the operation of application systems.
A reference model of how messages should be transmitted between any two end-points of a telecommunication network. The process of communication is divided into seven layers, with each layer adding its own set of special, related functions. The seven layers are the application layer, presentation, session, transport, network, data link, and physical layer. Most telecommunication products tend to describe themselves in relation to the OSI reference model. This model is a single reference view of communication that provides a common ground for education and discussion.
Vendor-independent systems designed to readily connect with other vendors’ products. To be an open system, it should conform to a set of standards determined from a consensus of interested participants rather than just one or two vendors. Open systems allow interoperability among products from different vendors. Major benefits include portability, scalability, and interoperability.
A project dedicated to enabling organizations to develop, purchase, and maintain applications that can be secured and trusted. In 2010, OWASP published a list of Top 10 application security risks. These include injection; cross-site scripting; broken authentication and session management; insecure direct object references; cross-site request forgery; security misconfiguration; insecure cryptographic storage; failure to restrict URL access; insufficient transport layer protection; and unvalidated redirects and forwards.
The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (e.g., Web server and mail server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations.
Analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identity the operating system in use on the target.
Provides information on who used computer resources, for how long, and for what purpose. Unauthorized actions can be detected by analyzing the operating system log. This is a technical and detective control.