Full Research Topic Listing

Back to previous page

Delivery Mechanisms

  • Articles
  • Podcasts
  • Videos/Video Podcasts
  • Checklists
  • Templates
  • Bibliographies

Categories

  • Attacks
  • Best Practices
  • <Company> Specific Security Controls
  • Checklists and Templates

Content Map

Attacks

1. Attacker Methodology
2. Wireless Attacks
3. Emerging Attacker Profit Models
4. [Possible: Incident Reports on Public Breaches]
5. The SANS Top 25: An Introduction
6. CWE-20 Improper input Validation
7. CWE-116 Improper Encoding or Escaping of Output
8. CWE-89 Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
9. Video Demonstration of CWE-89 Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

CWE-209 Error Message Information Leak

10. CWE-79 Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
11. Video Demonstration of CWE-79 Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
12. CWE-78 Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
13. CWE-319 Cleartext Transmission of Secure Information
14. CWE-352 Cross-Site Request Forgery (CSRF)
15. Video Demonstration of CWE-352 Cross-Site Request Forgery (CSRF)
16. CWE-362 Race Condition
17. CWE-209 Error Message Information Leak
18. CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
19. Video Demonstration of CWE-119 Failure to Constrain Operations within the Bounds of a Memory

Buffer

20. CWE-642 External Control of Critical State Data
21. CWE-73 External Control of File Name or Path
22. CWE-426 Untrusted Search Path
23. CWE-94 Failure to Control Generation of Code (aka ‘Code Injection’)
24. CWE-494 Download of Code Without Integrity Check
25. CWE-404 Improper Resource Shutdown or Release
26. CWE-665 Improper Initialization
27. CWE-682 Improper Calculation
28. CWE-285 Improper Access Control (Authorization)
29. CWE-327 Use of a Broken or Risky Cryptographic Algorithm
30. CWE-259 Hard-Coded Password
31. CWE-732 Insecure Permission Assignment for Critical Resource
32. CWE-330 Use of Insufficiently Random Values
33. CWE-250 Execution with Unnecessary Privileges
34. CWE-602 Client-Side Enforcement of Server-Side Security
35. The Insider Threat
36. Social Engineering
37. The Malware Primer

Best Practices

38. Why is Security Important? (for business)
39. Host Hardening (for non-system administrators)
40. Wireless Best Practices
41. The Secure Software Development Lifecycle (SDLC) Overview
42. The Secure SDLC: Feasibility
43. The Secure SDLC: Security Requirements
44. The Secure SDLC: Security Requirements Review
45. The Secure SDLC: Secure Architecture
46. The Secure SDLC: Secure Architecture Review
47. The Secure SDLC: Secure Coding
48. The Secure SDLC: Secure Unit Tests
49. The Secure SDLC: Secure Code Review
50. The Secure SDLC: Secure Testing
51. The Secure SDLC: PEN Tests and Remediation
52. The Secure SDLC: Secure Deployment
53. The Secure SDLC: Secure Operations
54. The Secure SDLC: Secure Decommissioning
55. Logging, Alerting and IDS Best Practices
56. The Proper Use of Encryption
57. Incident Response: Planning, Testing and Execution
58. Test Plans for Security
59. Secure Offshore Development
60. Cataloguing and Categorizing Assets
61. Issue Identification, Impact Assessment and Remediation
62. How to Create an Architecture Diagram
63. Security Testing vs. QA

[Company] Specific Security Controls

64. Identity Mechanisms
65. Authorization and Entitlements
66. Integrating with security products (such as: Site Minder and Websphere)
67. Cryptographic Libraries
68. Provisioning

Checklists

Developer
1. Code Review (CIA, AAA, Input validation, Output sanitization)
2. SANS Top 25
3. How To: Input Validation (1 pager)
4. Secure Coding Resources Bibliography
Business Analyst
1. ISRMP (link)
2. Security Requirements Checklist (Questions to Ask)
Manager
1. Incident Response, BCP, DR, Governance and Compliance Links?
2. Crater Chart
3. Bug Assessment Questionnaire
Quality Assurance
1. SANS Top 25: What to Look For (and How)

Back to previous page