Questions tagged [standards]
74 questions
1
vote
1 answer
History of the CERT secure coding standards?
My question is when and why did researchers decide to create the CERT secure coding standards?
Is there anything about the history of this standards? I can't find anything about this.
Exagon
- 171
- 4
0
votes
1 answer
Standard for "secure workstations" resisting screen grabs
In his talk "Keynote address: securing the individual" at authenticate2020 (around 23:44), Whit Diffie asks
"ever wonder why an app can come on and grab your whole screen? There's a whole set of standards to resist that. They were called 'secure…
user1093043
- 49
- 2
0
votes
0 answers
Sign according RSASSA-PKCS1-v1_5 standard
I'm totally lost with is standard RSASSA-PKCS1-v1_5.
I have commands that signs document and checks signature below.
openssl dgst -sha256 -sign private-key.pem -out aaa.txt.sha256 aaa.txt
openssl dgst -sha256 -verify public-key.pem -signature…
vico
- 249
- 2
- 6
0
votes
0 answers
Status of Asynchronous Remote Key Generation in the developing WebAuthn standard?
Today I read this blog entry by Yubico regarding Asynchronous Remote Key Generation. This proposal solves, in my view, the largest outstanding problem in the widescale adoption of challenge-response hardware authentication keys.
Some background:
The…
Myridium
- 156
- 1
- 8
0
votes
1 answer
From a modular development standpoint, should a "firewall" do anything else than filtering ports?
From a modular development standpoint, should a "firewall" do anything else than filtering ports?
This leads me to further ask, have there been attempts to reform the terminology from "firewall" to "port filterer"?
puertoportopoio
- 3
- 1
0
votes
1 answer
What alternative standard for ISO 27001 can be used in Australia?
I am looking for alternatives, that are less strict and less time consuming, than ISO 27001. Australia is in the Commonwealth, so maybe Cyber Essentials Plus could work, but I do not know if that plays a part in it being recognized by the Australian…
0
votes
0 answers
Backendly preventing database injections on simple web forms
I have a simple PHP-HTML-CSS contact form which saves emails to a local email client's database (in my case, Roundcube's database, which is a standalone MySQL database, I think --- I haven't used the program yet). The data this simple form gathers…
formprotector
- 1
- 1
0
votes
1 answer
Is there a standard about storing the password of a bank's website bank-account-management-account in a password vault?
Please assume that I use some FOSS, SaaS, public key && passwordized private key protected password vault program to primarily store passwords of websites I rarely use (such as Q&A websites or free content enterprises), which are not very…
yolorolo
- 1
0
votes
0 answers
Is there a standard approach for serializing an RSA encrypted AES key alongside the AES payload itself?
Diffie-Hellman won't really work here, since only one side has a public key, one side has the private. It must be this way to prevent decryption when the data is at-rest on one of the sides before transmission.
Currently, I am using RSA-2048 only,…
Wisteso
- 101
0
votes
2 answers
IEEE 1363 is inactive-reserved, having been withdrawn on 2019-11-07 : what does this mean?
IEEE 1363-2000 - IEEE Standard Specifications for Public-Key Cryptography - has been withdrawn on 7th November 2019 and is now in inactive-reserved status. What does this mean? Why was it withdrawn? Are some of the contents suspect? Some serious…
auspicious99
- 493
- 3
- 17
0
votes
0 answers
Security standard that requires network cables to be visible for inspection
I recently worked for a customer that showed me that all their network cables are visible. Indeed, cables were never drawn inside walls, conduits or trunks. Instead, they were "hung" on poles close to the ceiling. If a cable needed to pass through a…
user1202136
- 595
- 4
- 8
0
votes
0 answers
Are there any standards or guidelines tamper-evident devices can adhere to?
Tamper-Evident devices and measures are devices which in some way indicate that an event not intended by the developer or manufacturer has occurred. Examples of tamper-evident devices are stickers that leave specific residue or are destroyed upon…
user163495
0
votes
1 answer
Permissions API
We are about to develop an integration with an old system which is still live . Due to technical issues it is not possible to augment the data from the old system using the browser so we are going to develop a server to server integration.
There is…
aquaman
- 73
- 5
0
votes
0 answers
Security and distro list naming convention in AAD
Most naming convention standards for Active Directory I have come across so far have security groups starting with an underscore to allow the equivalent distribution list to be user-friendly.
I am now writing a naming convention for Azure AD…
aquaman
- 73
- 5
0
votes
1 answer
Is there a technical security standard for internet facing test environments?
We have a number of test environments that are permanently internet facing to accommodate external and automated testers with dynamic IP addresses. While we regularly check the servers for security vulnerabilities etc, we found that the servers were…
Joe
- 1,214
- 1
- 11
- 16