Collaborate Disseminate
My question is on Cyber Threat Intelligence (CTI). I want to know the difference between Attack Patterns (as in MITRE CAPEC) and Tactics, Techniques and Procedures (as in MITRE ATT&CK). They both seem to describe the behaviour and modu… Continue reading What is the difference between ATT&CK and CAPEC?
My question is on Cyber Threat Intelligence (CTI). I want to know the difference between Attack Patterns (as in MITRE CAPEC) and Tactics, Techniques and Procedures (as in MITRE ATT&CK). They both seem to describe the behaviour and modu… Continue reading What is the difference between ATT&CK and CAPEC?
I read that when salting passwords, it is advised to use a h(pwd||salt) construction instead of h(salt||pwd), the latter being vulnerable to a length extension attack.
What are possible scenarios in which being able to extend a salted pass… Continue reading Password salting vs. length extension attacks
In order to design and develop a secure system it is important to formulate a threat/adversary/trust/security model for the corresponding system to be able to evaluate the proposed system and help others to know if it is suitable in th… Continue reading Threat / Adversary / Trust / Security model, what is the difference?
Looking at a plain system (there are no security controls implemented yet), we need to think about its functions and derive appropriate assets which we’d like to protect in order to ensure the system continues to function as intended (also… Continue reading Are security controls themselves considered assets (e.g., cryptographic keys)
Could you please help me in finding a repository for MITRE ATT&CK ICS? I was wondering if the matrix, along with labels, assets and tactics was available smewhere online, perhaps in a STIX format as they did for ATT&CK Mobile, Ente… Continue reading MITRE ATT&CK ICS Machine readable
I am using CVSS to do the vulnerability assessment for my project.
As per documentation here is the definition of local and adjacent
Adjacent (A) The vulnerable component is bound to the network stack, but the attack is limited at the p… Continue reading What is the difference between "local" and "Adjacent" threat agents?
As organizations turn to hybrid solutions, an increasing number of businesses are turning to container orchestration to provide a seamless solution to computing between environments. “Containers are units of software in which the code and all its dependencies are packed, allowing applications to run quickly and efficiently from one computing environment to another,” Container Journal explains. […]
The post Threat Modeling in a Container Environment appeared first on Security Intelligence.
Is it at all possible to deduct Threats (as in Threat Modeling) from each (or at least) most of the items in OWASP ASVS ?
I heard in a webinar that for each item of this list, there is an implicit threat that motivated it.
I know threats a… Continue reading Threat Modeling : deduct threats from OWASP ASVS
When arranging a pen test it’s common practice to ask the client a set of questions, and use the answers either as the basis for further discussions, or to directly provide a test plan and quotation.
For a mobile app specifically, what que… Continue reading What questions are useful to scope a mobile app pen test?