Questions tagged [standards]

74 questions
20
votes
5 answers

Policy mandate dilemma

When writing security policies do you take into consideration user's (could be vendors) ability/capability to fulfil certain mandates in the policies or do you strictly want them to enforce, no matter what? I ask this question because I am hit with…
Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26
14
votes
7 answers

What risk rating models are used for calculating risk scores of web vulnerabilities?

What risk rating methods, models, assessments or methodologies are used for calculating or estimating a risk score of vulnerabilities (for example, like described in the OWASP top 10) and which of those are best to use for web vulnerabilities? I'm…
11
votes
2 answers

What is the current EU standard for data destruction?

I have been hunting around for a couple of weeks trying to find what the current standards for sensitive data destruction in the EU/UK are. If you look at the destruction companies they have several answers BS EN: 15713:2009 comes up a lot, but so…
EnviableOne
  • 157
  • 8
6
votes
1 answer

Attack tree file format?

Wikipedia lists five software packages for creating/editing/analysing attack trees. These software packages do not seem to have settled, between them, upon an agreed file format for attack trees. This lack of standardisation means that…
sampablokuper
  • 1,961
  • 1
  • 19
  • 33
5
votes
1 answer

Why is the SSH maximum packet size 32k?

My question has two parts. First, why must an SSH server have at least a maximum packet size of 32678 bits? It seems a bit excessive for most uses of SSH, excluding file transfer. Is it common for SSH packets to be around this size, or is it meant…
user2059810
  • 53
  • 1
  • 3
5
votes
1 answer

Common passwords among servers/web sites on a development platform

I have been involved in a discussion about the use of a standard user name and password within a development environment and would appreciate comments: The single development server holds a number of linux-based database and Web servers - one pair…
Linker3000
  • 151
  • 3
4
votes
3 answers

Friendly reminders for people who don't lock laptops

My bosses have tasked me with coming up with a kind of "friendly reminder" card that we can leave on the desks of folks where we see they've walked away without locking their workstation and we have to lock it. Has anyone else ever had to do…
4
votes
2 answers

How do I measure compliance to Information security policies?

I work in an organisation with 3 levels as far as information security is concerned. I'm sitting at level two where we develop policies and also assist with the standards. One of the most difficult things which have come to light is how to measure…
Katlego M
  • 51
  • 8
4
votes
1 answer

Is there a specification for the color values representing information classification levels for the United States?

Executive Order 13526 section 1.2.⁠ Specifies Information may be classified as Top Secret, Secret, and Confidential. The absense of a classification is Unclassified. US Classification Levels are used to mark the classification level of documents and…
4
votes
1 answer

Is there any real-world use of IPsec modes other than ESP tunnel?

Tunnel mode ESP (encapsulated in UDP so that it can traverse IPv4 NAT) is used as the basic building block of most of the modern VPNs that I've used and studied. In it, packets are encrypted and authenticated so that neither the headers nor the…
Dan Lenski
  • 313
  • 2
  • 7
4
votes
1 answer

How relevant is OWASP ASVS?

How relevant is the OWASP application security verification standard? Have you had it as a requirement made by business? What other application security standards relevant to business are there? I did try to search for them, but only OWASP ASVS…
Štef FoReal
  • 143
  • 4
3
votes
2 answers

Is Blowfish validated against any standards?

OWASP ASVS 3.0 V7.7 states the following: Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard. Blowfish is not included in NISTs database of FIPS 140 validated modules. Has…
3
votes
1 answer

How to find CAPEC items related to a CVE

Vulnerabilities with a CVE usually also have a CWE associated with them, but almost never CAPEC. CWE's site also only very rarely points to related CAPEC items. Is there a way to find a CVE's related CAPEC items? or a mapping from CWE items to…
drdrek
  • 165
  • 4
3
votes
1 answer

Offline mobile app data storage Guidelines, Standards

We are currently working on a project to develop an "offline" mobile application that synchronises data with our current cloud software solution that would allow field workers in potential mobile black spots to still be able to carry out their work…
Cyassin
  • 503
  • 2
  • 6
  • 12
3
votes
1 answer

What does a "-" mean in the Version field in Common Product Enumeration (CPE)?

I'm trying to understand the Common Product Enumeration standard published by Mitre. In the Version field, I've found references to "*" or ANY meaning "Any Version." However, when I search the CPE Dictionary, I find a dash in that field. Does…
Cargo23
  • 131
  • 3
1
2 3 4 5