• ‰ § ¶ ‡ µ ¢ © «» × ÷ Þ þ ———————————————————————————————————————————————————————————————— \laptop\security\police\OWASP.txt name="vulnerability_types" classification ••• do not use products that do not avoid vulnerabilities OWASP or Open Web Security Project https://en.wikipedia.org/wiki/OWASP https://owasp.org/projects/ https://owasp.org/www-project-top-ten/ 1. Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection 2. https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication 3. https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure 4. https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE) 5. https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control 6. https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration 7. https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS) 8. https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization 9. https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities 10. https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring https://www.guru99.com/web-security-vulnerabilities.html #1 SQL Injection Cross Site Scripting Broken Authentication and Session Management Insecure Direct Object References Cross Site Request Forgery Security Misconfiguration Insecure Cryptographic Storage Failure to restrict URL Access Insufficient Transport Layer Protection #10 Unvalidated Redirects and Forwards https://techbeacon.com/app-dev-testing/13-tools-checking-security-risk-open-source-dependencies ••• emotion rather than logic often dominates the market These are all inconsistent gimmicks which can easily be misused and should be avoided object orientation and structured query language may also be among them Date-Darwen artificial intelligence and fuzzy logic also could also add regenerative instabilities ••• name="analysis" of development paradigmes \laptop\technology\AI_logic.txt name="best_practice" \laptop\unsorted\factCheckA.txt#:~:text=bestPractice to: wwSultan5@comcast.net roie@roie.com chris@issi1.com ••• avoid using unneeded features https://www.techrepublic.com/article/starting-your-windows-server-without-a-gui/ https://www.linuxjournal.com/content/without-gui-how-live-entirely-terminal https://www.howtogeek.com/111967/how-to-turn-the-gui-off-and-on-in-windows-server-2012/ https://superuser.com/questions/291687/is-it-possible-to-run-windows-without-gui/291705 There are lots of situations where the user interface becomes unstable or slow. Knowing a way to get out of that state would be wonderful. change the Shell value to cmd.exe instead of Explorer.exe. use task manager and kill Explorer.exe https://docs.microsoft.com/en-us/windows-server/get-started/sconfig-on-ws2016 To exit to the command line https://stackoverflow.com/questions/49870520/is-it-possible-to-run-windows-10-in-powershell-cmd-only removes all the bloatware reduce the machine load by running Windows in a non-GUI mode https://docs.microsoft.com/en-us/windows/iot-core/learn-about-hardware/headlessmode name="menu" use a menuing system that is a program using https://man7.org/linux/man-pages/man3/system.3.html that reads from two files, one the system() arguments and the other discriptions of the choice. The files could be edited with notepad of other line editor. That would remove emense amounts of overhead. The same program could be used on linux and windows. Also batch files could be utalized. Also there might be a way to port batch files to linux. The java concept of makeing it easy to port to and from linux and windows might be revived. https://www.russharvey.bc.ca/resources/windowssecurity.html#winalts Vulnerabilities in Windows probably scamming you into downloading a genuine infection or selling you a bogus service don't use remote access to service client computers and disable it by default security apparently was a casual afterthought zero-day vulnerabilities (known but unpublished vulnerabilities) Uninstall unused or obsolete (unsupported) software. some of the embedded software creates its own entry points for problems maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system some Microsoft driver updates corrupting my Windows installations There are also lesser-known operating systems that may prove suitable to your needs. All plugins, including ActiveX are now being replaced by HTML5 which all modern browsers and devices support. Java is a safer alternative to Active-X but is no longer supported by modern browsers https://www.russharvey.bc.ca/resources/java.html Uninstalling Java eliminates vulnerabilities to your computer. security vulnerabilities are discovered all the time, name="BSIMM" samm https://www.cnet.com/news/gary-mcgraw-on-developing-secure-software-q-a/ assessed how well big companies develop products with security in mind www.cigital.com Trustworthy Computing initiative https://www.synopsys.com/software-integrity.html bsimm-faqs.pdf https://www.synopsys.com/software-integrity/resources/white-papers/ application-security-best-practices-guide.html Gartner’s Magic Quadrant for Application Security Testing https://info.checkmarx.com/gartner-mq-2020-di https://www.gartner.com/en/documents/3984345/magic-quadrant-for-application-security-testing This research is reserved for paying clients. !! Building Security in Maturity Model" (BSIMM) ranks the companies according to their secure software development practices https://www.bsimm.com/about/faq.html#9 https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/ https://www.dhs.gov/sites/default/files/publications/cost_of_developing_secure_software_clark.pdf Cost of Developing Secure Software Elaine Venson Brad Clark Barry Boehm September 16, 2020 https://www.darkreading.com/application-security/ 12-bare-minimum-benchmarks-for-appsec-initiatives/d/d-id/1338970 Ericka Chickowski 9/23/2020 https://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ https://www.opensamm.org/download/ https://techbeacon.com/security/why-existing-secure-sdlc-methodologies-are-failing inefficient, top-down waterfall methodologies OpenSAMM: governance, construction, verification, and deployment BSIMM: governance, intelligence, secure software development lifecycle (S-SDLC) touchpoints, and deployments Bottom-up secure SDLC https://www.bsimm.com/about.html https://www.synopsys.com/glossary/what-is-devops.html https://info.trustwave.com/ciso-once-and-future-threats/ name"EAL" https://security.stackexchange.com/questions/77161/deference-between-eal-1-7-in-common-criteria-standard EAL1 - functionally tested EAL2 - structurally tested EAL3 - methodically tested and checked EAL4 - methodically designed, tested, and reviewed EAL5 - semi-formally designed and tested EAL6 - semi-formally verified design and tested EAL7 - formally verified design and tested https://en.wikipedia.org/wiki/Computer_security#Computer_protection_(countermeasures) seL4,[113] and SYSGO's PikeOS[114][115] – but these make up a very small percentage of the market https://en.wikipedia.org/wiki/Formal_verification https://en.wikipedia.org/wiki/Security-evaluated_operating_system https://en.wikipedia.org/wiki/Evaluation_Assurance_Level https://en.wikipedia.org/wiki/Application_security https://en.wikipedia.org/wiki/Penetration_test#Standardized_government_penetration_test_services https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list.pdf https://en.wikipedia.org/wiki/White_hat_(computer_security) name="results" https://snyk.io/product/open-source-security-management/ Automatically find, prioritize and fix vulnerabilities in the open source dependencies used to build your cloud native applications https://redcanary.com/atomic-red-team/ immediately start testing their defenses against a broad spectrum of attacks name="EAL" https://en.wikipedia.org/wiki/Common_Criteria https://us-cert.cisa.gov/bsi/articles/best-practices/requirements-engineering/the-common-criteria EAL1 - EAL7 https://www.commoncriteriaportal.org/products/ !! Certified Products Access Control Devices and Systems 26 Boundary Protection Devices and Systems – 41 Certified Products Data Protection – 64 Certified Products Databases – 13 Certified Products Detection Devices and Systems – 7 Certified Products ICs, Smart Cards and Smart Card-Related Devices and Systems – 575 Certified Products Key Management Systems – 6 Certified Products Mobility – 25 Certified Products Multi-Function Devices – 230 Certified Products Network and Network-Related Devices and Systems – 223 Certified Products Operating Systems – 47 Certified Products Other Devices and Systems – 234 Certified Products Products for Digital Signatures – 47 Certified Products Trusted Computing 41 https://www.commoncriteriaportal.org/labs/ 80 Licensed Laboratories https://www.commoncriteriaportal.org/assets/images/flags/us.png name="checksum" https://files.avast.com/files/documentation/enterprise-administration-user-guide.pdf AEA console: calculated checksum does not match the checksum that is stored for an application https://forum.avast.com/index.php?topic=12275.0 File Checksum Integrity Verifier https://www.cnet.com/news/avasts-virus-lab-relies-on-robust-community/ the checksum has proven to be an effective tool for verifying a file https://en.wikipedia.org/wiki/AVG_Technologies https://support.avg.com/answers?id=9060N000000g7nfQAA http://www.manifold.net/doc/mfd9/using_sha_checksums.htm https://www.exefiles.com/en/exe/avgboot-exe/ name="bloatware" https://www.avg.com/en/signal/bloatware-removal-tool https://threatpost.com/bloatware-insecurity-continues-to-haunt-consumer-business-laptops/118356/ https://www.zdnet.com/article/vulnerability-found-and-fixed-in-hp-bloatware/ https://en.wikipedia.org/wiki/SafeBreach https://safebreach.com/ https://www.techrepublic.com/blog/five-apps/five-tools-for-dealing-with-bloatware-on-your-android-device/ https://wiki.garudalinux.org/en/removing-bloat https://wiki.debian.org/ReduceDebian https://www.pcmag.com/how-to/how-to-rid-a-new-pc-of-crapware https://answers.microsoft.com/en-us/windows/forum/ windows_other-performance/decrapify-your-windows-computer/e6742978-e44e-4d38-8f5c-77cde74b5ab6 https://support.microsoft.com/en-us/topic/ remove-specific-prevalent-malware-with-windows-malicious-software-removal-tool-kb890830- ba51b71f-39cd-cdec-73eb-61979b0661e0 https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_start-windows_other/ list-of-anti-malware-product-removal-tools/2bcb53f7-7ab4-4ef9-ab3a-6aebfa322f75 https://de.zxc.wiki/wiki/Microsoft_Windows-Tool_zum_Entfernen_b%C3%B6sartiger_Software https://en.wikipedia.org/wiki/Category:Spyware_removal https://en.wikipedia.org/wiki/Malicious_Software_Removal_Tool https://listoffreeware.com/best-free-bloatware-remover-for-windows/ name="Multiple Detection Approaches" https://encyclopedia2.thefreedictionary.com/antivirus+software binary signature checksum computed and stored behavior detection name="expansiveness" disadvantages of unlimited memory breeding ground for viruses longer and harder to find things harder to backup leads to sloppier programming allows bloatware where there is room for trojans to hide excessive cross referencing, tangeling, makes things unstable smaller independent applications may not all fail at once name="compromized_distributions" \laptop\unsorted\factCheckA.txt#:~:text=supplyChain ••• avoid products distributed by compromized developers solarWind, ... codecov https://www.cyberscoop.com/tag/supply-chain-security/ https://www.cyberscoop.com/tag/supply-chain/ Github, the Codecov CircleCl Orb and the Codecov Bitrise Step Atlassian, Mozilla, Sweetgreen, Tile ••• organized international policing \laptop\security\police\*.txt ulterior motives: scavengers only make more money when there is trouble undisciplined flailing will lead to dicotomies often nothing deeper than association; often people are only repeating words from memory often something requires seven levels of abstraction e.g. OSI network layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application https://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html 'link: nmtf-tools.html'