Skip to main content
Information Security

All Questions

Ask Question
Tagged with
17 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
3 votes
3 answers
880 views

What are the security implications of using an old computer with no more BIOS updates?

What are potential security implications of using older unsupported motherboards/laptops that do not get BIOS(UEFI) updates anymore, but run an up to date GNU/Linux distribution? Do measures like ...
Dan Johnson's user avatar
Dan Johnson
  • 31
1 vote
1 answer
124 views

Static react native app security issues

I am creating a react native mobile application using Expo. This app simply renders information - there is no data collection or entry, no user accounts, no database (other than JSON storage). There ...
server_unknown's user avatar
server_unknown
  • 113
2 votes
1 answer
2k views

What is the difference between ATT&CK and CAPEC?

My question is on Cyber Threat Intelligence (CTI). I want to know the difference between Attack Patterns (as in MITRE CAPEC) and Tactics, Techniques and Procedures (as in MITRE ATT&CK). They both ...
JacopoStanchi's user avatar
JacopoStanchi
  • 123
0 votes
1 answer
256 views

Are security controls themselves considered assets (e.g., cryptographic keys)

Looking at a plain system (there are no security controls implemented yet), we need to think about its functions and derive appropriate assets which we'd like to protect in order to ensure the system ...
smoothware's user avatar
smoothware
  • 123
1 vote
1 answer
7k views

What is the difference between "local" and "Adjacent" threat agents?

I am using CVSS to do the vulnerability assessment for my project. As per documentation here is the definition of local and adjacent Adjacent (A) The vulnerable component is bound to the network ...
kudlatiger's user avatar
kudlatiger
  • 159
1 vote
1 answer
197 views

Threat modeling for visitor access control

I am trying to understand threat modeling but it seems too elasti from restrictive requirements to general requirements. Now i am trying to understand it with some realistic examples. The first ...
user3488903's user avatar
user3488903
  • 121
1 vote
1 answer
281 views

Malware Threat Hunting in Airport Systems - KPIs/Metrics to Track [closed]

I am trying to figure out how to detect potential threats from malwares in various systems installed in the airport. To be specific, my focus is on the following systems in airports: Baggage ...
SamRoy's user avatar
SamRoy
  • 111
1 vote
1 answer
928 views

What are the risks of placing Amazon Resource Names (ARNs) in VCS repositories?

Amazon Resource Names (ARNs) uniquely identify AWS resources. Amazon requires an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational ...
FrancisV's user avatar
FrancisV
  • 111
143 votes
12 answers
36k views

Is public Wi-Fi a threat nowadays?

In my opinion, arguments we have been using for years to say that public Wi-Fi access points are insecure are no longer valid, and so are the recommended remedies (e.g. use VPN). Nowadays, most sites ...
user avatar
user15194
59 votes
1 answer
5k views

What's the Impact of the CloudFlare Reverse Proxy Bug? ("#CloudBleed")

In Project Zero #1139, it was disclosed that CloudFlare had a bug which disclosed uninitialized memory, leaking private data sent through them via SSL. What's the real impact?
Jeff Ferland's user avatar
Jeff Ferland
  • 38.6k
2 votes
4 answers
275 views

Threat modelling - including threats one cannot mitigate?

When threat modelling, should you include the threats a system cannot mitigate? If so, where should you stop? It could be very time-consuming to list all the threats one cannot mitigate.
user5508297's user avatar
user5508297
  • 171
1 vote
0 answers
97 views

SeaSponge Report Generation

I am trying out SeaSponge, a recently developed threat modelling tool which looks interesting. The entry is similar enough to Microsoft's SDL Threat Modelling Tool. However when I click on "Reports" ...
Mdlr's user avatar
Mdlr
  • 11
1 vote
2 answers
2k views

Threat Modelling Examples (Distributed Systems)

I have threat modelled applications in the past, but I'd like to threat model a distributed system. However for other people I'm with, who have never done it at all, I'd like to check out some ...
user109017's user avatar
user109017
  • 11
1 vote
3 answers
431 views

Installed some software over a public insecure wireless network -- should I consider myself compromised?

A couple months earlier, I made the mistake of downloading some software over an insecure wireless network and running it without checking its integrity. I am now considering reinstalling my system, ...
Demi's user avatar
Demi
  • 889
8 votes
1 answer
239 views

What considerations should apply for self service Renewing, Revoking, or Unrevoking a certificate?

I need to design a self service portal for renewing, revoking, and unrevoking a certificate and have come up with the following rules*: Renewal Certificates have a short term validity and need to ...
makerofthings7's user avatar
makerofthings7
  • 51.1k
1 vote
2 answers
268 views

Malware for testing [duplicate]

IS there websites and places where you can download all types of malware that you can run and test the security setup of your system? I am currently playing around with UAC+EMET4+MSE and would like ...
Travis Thompson's user avatar
Travis Thompson
  • 539
6 votes
2 answers
964 views

Secure Software Development

I'm researching models on building security into the SDLC and so far have come across: BSIMM Microsoft SDL Open SAMM Are there any other documents and resources to look into? Specific tools that ...
Epoch Win's user avatar
Epoch Win
  • 932