メインコンテンツまでスキップ

04 - Security & Privacy

Security Foundations

Relevant DSS-P Skills
  • 4. Security > 4.1 Security Management > Security System Construction and Operation
  • 4. Security > 4.1 Security Management > Security Management
  • Information security - The practice of protecting information by mitigating information risks
  • Vulnerability - A weakness which can be exploited by a threat actor
  • Threat - A potential negative action or event facilitated by a vulnerability
  • Shared Responsibility Model - A security and compliance framework that outlines the responsibilities of cloud service providers (CSPs) and customers for securing every aspect of the cloud environment

Common Threats & Attack Vectors

  • Malware - Any software intentionally designed to cause disruption to a computer, server, client, or computer network
  • Ransomware - A type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid
  • Social engineering - The psychological manipulation of people into performing actions or divulging confidential information
  • Phishing - A type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information
  • Business Email Compromise (BEC) - A type of phishing attack in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data
  • Infostealer - A type of Trojan horse designed to gather information from a system
  • Mirai (malware) - A malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks
  • Think before you Click(Fix) - A social engineering technique that tricks users into running malicious commands on their devices by taking advantage of their target's tendency to solve minor technical issues

Modern Security Architectures

  • Zero trust security model - An approach to the design and implementation of IT systems where trust is never granted implicitly and verification is required for everyone
  • Mutual authentication - A process in which both parties in a communications link authenticate each other

Security Training & Competitions

  • Capture the flag (cybersecurity) - A hacking contest where participants use specialized knowledge and techniques to find hidden "Flags" (answers) and compete for the highest total score
  • Platforms
    • CTFd - The easiest Capture The Flag platform to host your own cyber security workshop, providing a rock solid base that is easily customizable with themes and plugins

Cryptography & Data Protection

Relevant DSS-P Skills
  • 4. Security > 4.2 Security Technology > Secure Design, Development, and Construction

Core Cryptography

Hashing

  • Hash Function
    • MD5 - A cryptographically broken but still widely used hash function producing a 128-bit hash value
    • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512) - A set of cryptographic hash functions designed by the United States National Security Agency (NSA)
    • Bcrypt - A password-hashing function based on the Blowfish cipher
    • Scrypt - A password-based key derivation function created by Colin Percival

Symmetric-key Cryptography

  • Symmetric-key algorithm - Algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext
  • Block Cipher
    • AES - A specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001
    • Salsa20 ChaCha - A variant of Salsa20 that increases the diffusion per round while achieving the same or slightly better performance
  • MAC (Message Authentication Code)
    • HMAC - A specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key
  • Modes of Operation
    • CBC (Cipher block chaining) - A mode of operation for a block cipher where a block of plaintext is XORed with the previous ciphertext block before being encrypted
    • GCM (Galois/Counter Mode) - A mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance
    • CCM - A mode of operation for cryptographic block ciphers designed to provide both authentication and confidentiality

Public-key Cryptography

  • Digital signature - A mathematical scheme for verifying the authenticity of digital messages or documents
  • Public-key cryptography - A cryptographic system that uses pairs of keys
    • RSA - A public-key cryptosystem that is widely used for secure data transmission
    • EdDSA - A digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves
  • Key Agreement
  • Encryption Schemes
    • RSAES-PKCS1-v1_5 - An older Encryption/decryption Scheme (ES) was first standardized in version 1.5 of PKCS #1 and is known to be vulnerable
    • RSAES-OAEP - A padding scheme that enhances RSA encryption by adding randomness and preventing partial decryption, it was standardized in PKCS#1 v2 and RFC 2437
  • Signature Schemes
    • RSASSA-PKCS1-v1_5 - A Signature Scheme with Appendix (SSA) was first standardized in version 1.5 of PKCS #1 and is considered unforgeable according to Jager et al. (2018)
    • DSA - A public-key cryptosystem and Federal Information Processing Standard for digital signatures, it is based on the mathematical concept of modular exponentiation and the discrete logarithm problem
    • ECDSA - A variant of the Digital Signature Algorithm (DSA) that utilizes elliptic-curve cryptography
  • Key formats
  • Cryptographic Standards & Formats
    • Cryptographic Message Syntax - The IETF's standard for cryptographically protected messages, used by cryptographic schemes and protocols to digitally sign, digest, authenticate, or encrypt any form of digital data

Public Key Infrastructure (PKI)

  • Public Key Infrastructure (PKI) - A set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates
  • Certificate authority (CA) - An entity that stores, signs, and issues digital certificates
  • Registration authority (RA)
  • Validation authority (VA)
  • Protocols & Standards
  • Validation & Enrollment
    • Domain Control Validation - A process used by certificate authorities (CAs) to verify that the person or organization requesting a certificate has control over the domain(s) listed in the certificate
  • Trust Stores
    • Certifi - A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts
  • Public key certificate - An electronic document used to prove the validity of a public key
    • Domain Validated (DV)
    • Organization Validated (OV)
    • Extended Validation (EV)
  • Let's Encrypt - A nonprofit Certificate Authority providing TLS certificates
    • certbot - A free, open source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS
    • lego - A Let's Encrypt client and ACME library written in Go
    • cfssl - Cloudflare's PKI toolkit
  • ACME (Automatic Certificate Management Environment) - A communications protocol for automating interactions between certificate authorities and their users' web servers
  • mkcert.org - A simple tool for making locally-trusted development certificates
  • cert-manager - A powerful and extensible X.509 certificate controller for Kubernetes and OpenShift

Secrets Management

  • Vault - A tool for securely accessing secrets like API keys, passwords, or certificates
  • OneCLI - An open-source credential vault and proxy gateway for AI agents that stores secrets in an encrypted vault and injects them into agent requests without exposing keys
  • SOPS - An editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats
  • git-secret - A bash tool to store your private data inside a git repo
  • Kubernetes Ecosystem
    • Sealed Secrets - A Kubernetes controller and tool for one-way encrypted Secrets
    • Secrets Store CSI Driver - A driver that allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into pods as a volume
    • External Secrets Operator - A Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, and IBM Cloud Secrets Manager
  • Vendor Services
    • Azure Key Vault - A cloud service to safeguard cryptographic keys and other secrets used by cloud apps and services
    • Google Cloud Secret Manager - A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data
    • AWS Key Management Service - A service that makes it easy for you to create and manage cryptographic keys
    • AWS Secrets Manager - A secrets management service that helps you protect access to your applications, services, and IT resources

Applied Cryptography & Tools

  • Advanced Cryptography Topics

    • Post-quantum cryptography - Cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer
    • Information Hiding
      • Steganography - The practice of concealing a file, message, image, or video within another file, message, image, or video
      • Digital watermarking - A kind of marker covertly embedded in a noise-tolerant signal such as an audio, video or image data

  • End-to-end Encryption Tools

    • age - A simple, modern and secure file encryption tool, format, and Go library
    • Pretty Good Privacy (PGP) - A data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication
    • OpenPGP - A non-proprietary protocol for exchanging public keys and encrypted messages
    • keys.openpgp.org - A public key server for OpenPGP
    • GnuPG - A free software replacement for the PGP cryptographic software suite
    • Gpg4win - A Windows software package that facilitates the secure transport of emails and files with the help of OpenPGP

  • Cryptographic Libraries

    • PyCryptodome - A self-contained Python package of cryptographic primitives
    • Python cryptography - A package designed to expose cryptographic primitives and recipes to Python developers
    • Go Cryptography - A collection of Go cryptography libraries
    • Botan - A cryptography library written in C++

Identity & Access Management (IAM)

Relevant DSS-P Skills
  • 4. Security > 4.2 Security Technology > Secure Design, Development, and Construction
  • 2. Data Preparation & Utilization > 2.3 Data Management > Improvement of Data Quality and Safety

Integrated IAM

  • Identity management - A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources
  • Self-hosted IAM Platforms
    • FusionAuth CE - The self-hosted, community supported version of FusionAuth
    • KeyCloak - An open source identity and access management solution
    • FreeIPA - An integrated security information management solution combining Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, and a certificate system
  • Cloud IAM Services
    • Microsoft Entra ID - A cloud-based identity and access management service
    • AWS IAM - A service that helps you securely control access to AWS resources
    • Amazon Cognito - A service that lets you add user sign-up, sign-in, and access control to your web and mobile apps
    • Auth0 - A flexible, drop-in solution to add authentication and authorization services to your applications
  • Directory service - A service that maps the names of network resources to their respective network addresses
    • LDAP - An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services
    • OpenLDAP - An open source implementation of the Lightweight Directory Access Protocol
    • 389 Directory Server - A free and open source software project developed by Red Hat for Linux systems
  • Specifications

Authentication (AuthN)

  • Authentication - The act of proving an assertion, such as the identity of a computer system user
  • Multi-factor authentication (MFA) - A method that requires multiple verification methods for access
  • Single sign-on (SSO) - A service that allows one login for multiple applications
  • Protocols & Standards
    • OpenID Connect - A simple identity layer on top of the OAuth 2.0 protocol
    • SAML - A standard for logging users into applications
    • WS-Federation - A specification that defines mechanisms used to broker trust and manage identities, attributes and authentication between participating Web services
    • FIDO2 (WebAuthn, CTAP, Passkeys) - A set of specifications that enables users to leverage common devices to easily and securely authenticate to online services
      • Relying party - The website or online service that wants to verify a user's identity (e.g., your bank's website)
      • Authenticator - The device or software that securely stores cryptographic keys and performs authentication for the user.
      • Client - The software on the user's device, typically a web browser or operating system component, that communicates between the Relying Party and the Authenticator.
      • WebAuthn - An API for accessing Public Key Credentials
      • CTAP - A protocol that enables an external authenticator to communicate with a client platform
      • Passkeys - A phishing-resistant replacement for passwords
    • SPIFFE - The Secure Production Identity Framework for Everyone
    • Kerberos - A computer network authentication protocol that works on the basis of tickets
    • SSPI (Security Support Provider Interface) - A Win32 API that allows an application to use various security models available on a computer or network without changing the interface to the security system
  • Credentials & Tokens
    • Basic authentication - A method for an HTTP user agent to provide a username and password when making a request
    • JSON Web Token (JWT) - An Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims
    • TOTP (Time-Based One-Time Password) - A temporary passcode, generated by an algorithm, for use in authenticating access to computer systems
  • Platforms & Tools
    • Dex - A Federated OpenID Connect Provider
    • Firebase Authentication - A service that provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app
    • Supabase Auth - A service that provides user management and access control for Supabase projects
    • ReCAPTCHA - A CAPTCHA system that enables web hosts to distinguish between human and automated access to websites
    • Microsoft Authentication Library (MSAL) - A library that helps developers integrate authentication and authorization into applications
    • Application Default Credentials (ADC) - A mechanism used by Google Cloud client libraries to automatically find credentials based on the application environment
    • Limen - A lightweight, composable authentication and authorization library for Go that provides sessions, password hashing, OAuth, and CSRF protection

Authorization (AuthZ)

  • Authorization - The function of specifying access rights/privileges to resources
  • Access Control Models
  • Protocols & Standards
    • OAuth 2.0 Authorization Framework - An open standard for access delegation
      • Resource owner - the user who owns the data or resources that are being accessed
      • Resource server - the server that hosts the protected resources
      • Client - an application or service that wants to access the resources on behalf of the resource owner
      • Authorization server - the server that issues access tokens to the client
  • Platforms & Tools
    • Permify - An open-source authorization service that helps you to create any kind of authorization system with its Golang API
    • Azure Shared Access Signature (SAS) - A signed URI that points to one or more storage resources and includes a token that specifies the permissions and interval of access

Secure Development Lifecycle (DevSecOps)

Relevant DSS-P Skills
  • 4. Security > 4.2 Security Technology > Secure Design, Development, and Construction

Secure Design & Modeling

  • Threat modeling - A process by which potential threats can be identified, enumerated, and prioritized from a hypothetical attacker's point of view
  • OWASP Threat Modeling - Guidance from the OWASP Security Culture project on integrating threat modeling into the development lifecycle
  • STRIDE model - A mnemonic for categorizing computer security threats into six categories
  • MITRE ATT&CK - A globally-accessible knowledge base of adversary tactics and techniques
    • Tactics: The high-level objectives or goals that an adversary aims to achieve during an attack.
    • Techniques: The specific methods or ways adversaries achieve their tactical objectives.
    • Procedures: The specific implementations or variations of techniques that adversaries utilize in their operations.
  • Modeling Tools
    • OWASP Threat Dragon - A free, open-source, cross-platform threat modeling application
    • threatspec - A tool that allows you to define threat models as code

Secure Development Practices

Application Security Testing (AST)

  • Static Analysis (SAST)
    • SonarQube Server - A self-managed, automatic code review tool that systematically helps you deliver clean code
    • GitLab SAST - A tool that checks your source code for known vulnerabilities
    • Bandit (for Python) - A tool designed to find common security issues in Python code
    • Semgrep OSS - A fast, open-source, static analysis tool for finding bugs and enforcing code standards
    • Fluid attacks - A security tool that allows you to find vulnerabilities in your source code, containers and dependencies
  • Dynamic Analysis (DAST)
    • ZAP - The world's most widely used web app scanner, free and open source, and a community based GitHub Top 1000 project that anyone can contribute to
    • Nuclei - A fast and customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL
    • sqlmap - An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers
    • Evilginx - A man-in-the-middle attack framework used for phishing login credentials along with session cookies
  • Secret Detection
    • GitLab Secret Detection - A tool that scans your repository's history for secrets
    • Gitleaks - A SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos
    • secretlint - A pluggable linting tool to prevent committing credentials
    • Talisman - A tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not get committed
    • TruffleHog - A tool that scans your environment for secrets, digging deep into commit history and branches
    • Whispers - A static code analysis tool designed for parsing various common data formats in search of hardcoded credentials
  • AI-orchestrated Penetration Testing
    • PentestGPT - An automated penetration testing framework powered by Large Language Models (LLMs)
    • PentAGI - An open-source, fully autonomous AI agent system designed for automated security testing
    • Strix - A set of autonomous AI agents that act like real hackers to run code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts
    • CAI - A lightweight, open-source framework that empowers security professionals to build and deploy AI-powered offensive and defensive automation
    • HexStrike AI - An advanced MCP server that lets AI agents autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research
    • Zen AI Pentest - An autonomous, AI-powered penetration testing framework that combines cutting-edge language models with professional security tools

Infrastructure as Code (IaC) Security

  • Trivy - A comprehensive and versatile security scanner
  • checkov - A static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations
  • Haskell Dockerfile Linter - A smarter Dockerfile linter that helps you build best practice Docker images
  • kube-score - A tool that performs static code analysis of your Kubernetes object definitions
  • kubesec - A security risk analysis for Kubernetes resources
  • PSRule - A cross-platform PowerShell module with commands to test and verify infrastructure as code (IaC)
    • PSRule for Azure - A suite of rules to validate Azure resources and infrastructure as code (IaC) using PSRule
  • ComplianceAsCode - A project that provides security automation content in various formats like SCAP, Bash, and Ansible
  • complyctl - A command-line tool that uses OSCAL to streamline compliance assessment activities

Software Supply Chain Security (SSCS)

  • Composition Analysis (SCA)
    • SBOM Generation
      • Syft - A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems
      • OWASP CycloneDX format - A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts
      • SPDX format - An open standard for communicating Software Bill of Materials (SBOM) information
    • Vulnerability Scanning
      • Grype - A vulnerability scanner for container images and filesystems
      • OSV-scanner - The official vulnerability scanner for OSV
      • Safety - A tool that checks your installed dependencies for known security vulnerabilities
      • Clair - An open-source project for the static analysis of vulnerabilities in application containers
      • GitLab Container Scanning - A tool that checks your Docker images for known vulnerabilities
      • JFrog Xray - An application security tool that identifies vulnerabilities and license compliance issues across the software supply chain
    • License & Dependency Analysis
      • Feluda - A blazing fast dependency graph generator for Python projects
  • Frameworks & Assessment
    • SLSA framework - A security framework of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure
    • in-toto - A framework to protect software supply chain integrity
    • OpenSSF Scorecard - An automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10
  • Provenance & Artifact Metadata
    • GUAC - An open source tool that aggregates software security metadata into a high fidelity graph database
  • Secure Distribution & Updates
    • The Update Framework (TUF) - A framework for securing software update systems, providing protection even against attackers that compromise the repository or signing keys
  • Code Signing & Integrity
    • Sigstore (Fulcio, Rekor, Cosign) - A new standard for signing, verifying and protecting software
  • Notable Attacks
    • Shai-Hulud npm Supply Chain Attack - A self-propagating worm that harvests sensitive data via post-install scripts and automatically publishes malicious versions of accessible packages to spread further

Runtime & Operational Security

Relevant DSS-P Skills
  • 4. Security > 4.1 Security Management > Incident Response and Business Continuity
  • 4. Security > 4.2 Security Technology > Security Operation, Maintenance, and Monitoring

Cloud-Native Application Protection (CNAPP)

  • The 4 Cs of Cloud-Native Systems - A defense-in-depth approach that divides security strategies into four distinct layers to provide multilayered protection for cloud-native applications
  • Microsoft Defender for Cloud - A cloud-native application protection platform (CNAPP) with a set of security measures and practices designed to protect cloud-based applications
  • Cloud Security Posture Management (CSPM)
    • AWS Security Hub - A cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation
    • cnquery - A cloud-native, graph-based security tool that allows you to query your entire infrastructure as data
  • Cloud Workload Protection Platform (CWPP)
    • Amazon Inspector - An automated security assessment service that helps improve the security and compliance of applications deployed on AWS
    • Falco - The cloud-native runtime security project
    • Tracee - A powerful runtime security and forensics tool for Linux
    • ClamAV - An open source antivirus engine for detecting trojans, viruses, malware & other malicious threats
    • YARA - The pattern matching swiss knife for malware researchers

Security Operations & Monitoring (SecOps)

  • Detection & Response
  • SIEM & SOAR
    • Security orchestration, automation and response (SOAR) - A stack of compatible software programs that allow an organization to collect data about security threats
    • Microsoft Sentinel - A scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution
    • Amazon GuardDuty - A threat detection service that continuously monitors for malicious activity and unauthorized behavior
  • Detections & Auditing
    • Sigma Detection Format - A generic and open signature format that allows you to describe relevant log events in a straightforward manner
    • AWS CloudTrail - An AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account
    • AWS Config - A service that enables you to assess, audit, and evaluate the configurations of your AWS resources

Policy Enforcement

  • Open Policy Agent (OPA) - An open source, general-purpose policy engine that unifies policy enforcement across the stack
    • Rego - A high-level declarative language used to write policies for OPA
    • Conftest - A utility to help you write tests against structured configuration data
  • Cloud Policy Engines
    • Azure Policy - A service to achieve real-time cloud compliance at scale with consistent resource governance
  • Kubernetes Policy Engines
    • Gatekeeper - A customizable validating webhook that enforces policies executed by the Open Policy Agent (OPA)
    • Kyverno - A policy engine designed for Kubernetes

Digital Forensics & Incident Response (DFIR)

  • Concepts
    • Computer security incident management - The monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events
    • Digital forensics - A branch of forensic science that involves the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime
    • Computer forensics - A branch of digital forensic science pertaining to evidence found in computers and digital storage media
  • Tools & Platforms
    • Volatility - The world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples
    • Autopsy - A digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools

Secure Communications & Networking

Relevant DSS-P Skills
  • 4. Security > 4.2 Security Technology > Secure Design, Development, and Construction

Transport Layer Security (TLS)

  • Transport Layer Security (TLS) - A cryptographic protocol designed to provide communications security over a computer network
  • Server Name Indication (SNI) - An extension to the Transport Layer Security (TLS) computer networking protocol
  • Tools & Libraries
    • testssl.sh - A free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers and protocols
    • OpenSSL library - A software library for applications that secure communications over computer networks against eavesdropping
    • stunnnel - A proxy designed to add TLS encryption functionality to existing clients and servers
    • Squid SSL Bump - A feature of Squid proxy that allows it to intercept, decrypt, and re-encrypt SSL/TLS traffic
  • Vulnerabilities
    • Lucky Thirteen attack - A timing attack against the TLS protocol that allows an attacker to decrypt ciphertext

Secure Shell (SSH)

  • Secure Shell (SSH) - A cryptographic network protocol for operating network services securely over an unsecured network
  • Tools & Libraries
    • OpenSSH - The premier connectivity tool for remote login with the SSH protocol
    • PuTTY - A free implementation of SSH and Telnet for Windows and Unix platforms
    • ssh-audit - A tool for SSH server & client configuration auditing
    • keychain - A manager for ssh-agent, typically started from ~/.bash_profile

Web Application Security

  • 3-D Secure - A security protocol designed to be an additional security layer for online credit and debit card transactions
  • Security Mechanisms & Policies
  • Common Vulnerabilities & Attacks
    • Cross-site request forgery (CSRF) - A type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts
    • Cross-site scripting (XSS) - A type of security vulnerability typically found in web applications
    • DNS rebinding - A type of attack that allows a malicious web page to bypass the same-origin policy by exploiting the Domain Name System
    • SSRF (Server-side request forgery) - A type of exploit where an attacker can abuse the functionality on the server to read or modify internal resources
  • Privacy & Transparency
    • Privacy sandbox - Google's initiative to create web technologies that protect people's privacy online and give companies and developers the tools to build thriving digital businesses
    • security.txt - A proposed standard which allows websites to define security policies for researchers

Firewalls & Network Protection

  • Web Application Firewall (WAF)
    • AWS WAF - A web application firewall that helps protect your web applications or APIs against common web exploits and bots
    • Azure Web Application Firewall - A cloud-native service that protects web apps from common web-hacking techniques and vulnerabilities
  • Network-level Protection
    • AWS Shield - A managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
    • Azure DDoS Protection - A service that provides countermeasures against the most sophisticated DDoS threats
    • Fail2ban - An intrusion prevention software framework that protects computer servers from brute-force attacks
    • Snort (IPS) - The foremost Open Source Intrusion Prevention System (IPS) in the world
  • Host-based Firewalls
    • netfilter (iptables, nftables) - A framework inside the Linux kernel that enables packet filtering, network address translation, and other packet mangling
    • Uncomplicated Firewall (ufw) - A program for managing a netfilter firewall

Email & DNS Security

  • Email Security
  • DNS Security
    • DNSSEC - A feature of the Domain Name System (DNS) that authenticates responses to domain name lookups
    • DNS over TLS (DoT) - A security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol
    • DNS over HTTPS (DoH) - A protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol
  • Tools & Libraries
    • OpenDKIM - A community effort develops and maintains a C library for producing DomainKeys Identified Mail-aware applications and an open-source milter for providing the service

Governance, Risk, and Compliance (GRC)

Relevant DSS-P Skills
  • 1. Business Transformation > 1.3 Management of Transformation Activities > Risk & Compliance
  • 4. Security > 4.1 Security Management > Security Management
  • 4. Security > 4.1 Security Management > Privacy Protection

Data Governance

  • Unity Catalog - A universal catalog for data and AI that provides interoperability, openness, and unified governance across various formats and platforms
  • Microsoft Purview - A unified approach to help organizations secure and govern data across their heterogeneous data estate
  • Amazon DataZone - A data management service that makes it faster and easier for customers to catalog, discover, share, and govern data stored across AWS, on premises, and third-party sources

AI Governance & Security

  • METR - A research nonprofit that scientifically measures whether and when AI systems might threaten catastrophic harm to society
  • Microsoft Agent 365 - A centralized governance and management platform designed to oversee autonomous AI agents within an enterprise environment

Regulations & Standards

  • Laws & Regulations
    • General Data Protection Regulation (GDPR) - The toughest privacy and security law in the world
      • Data subject requests (DSR)
      • Breach notification
      • Data protection impact assessment (DPIA)
    • California Consumer Privacy Act (CCPA) - A state statute intended to enhance privacy rights and consumer protection for residents of California
    • Cyber Resilience Act - A regulation that aims to safeguard consumers and businesses buying or using products or software with a digital component by introducing mandatory cybersecurity requirements
  • Security & Privacy Frameworks
    • NIST SP 800-53 - A catalog of security and privacy controls for all U.S. federal information systems except those related to national security
    • OSCAL - The Open Security Controls Assessment Language, a NIST-led initiative that provides open, machine-readable formats (XML, JSON, YAML) to automate security and compliance processes
    • ISO/IEC 27001 / 27002 - The international standard for information security management systems
  • Industry & Audit Standards
    • PCI-DSS - The global standard for payment card data security
    • SOC 2 - A voluntary compliance standard for service organizations which specifies how organizations should manage customer data
    • FIPS 140-2 - A U.S. government computer security standard used to approve cryptographic modules
  • Hardening & Implementation Guides

Vulnerability Management & Reporting

System & Personal Security

Relevant DSS-P Skills
  • 4. Security > 4.1 Security Management > Security System Construction and Operation
  • 4. Security > 4.2 Security Technology > Secure Design, Development, and Construction

OS & Endpoint Security

  • Address space layout randomization (ASLR) - A computer security technique involved in memory protection that prevents exploitation of memory vulnerabilities by randomly arranging the address space positions of key data areas of a process
  • W^X - A security feature that ensures that every page in a process's address space is either writable or executable, but not both
  • Control-flow integrity - A general term for computer security techniques that prevent a wide variety of malware attacks from redirecting the flow of execution of a program
  • TPM (Trusted Platform Module) - A specification for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys
  • Linux Mandatory Access Control
    • SELinux - A set of kernel modifications and user-space tools that have been added to various Linux distributions
    • AppArmor - A Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles
    • bubblewrap - A low-level unprivileged sandboxing tool used by Flatpak and similar projects
  • Linux Fine-grained Access Control
    • Linux capabilities - A feature that grants some of the power of the superuser to a process, while not granting all of them
  • General Scanning
    • OpenSCAP - An open source implementation of the Security Content Automation Protocol (SCAP)
    • Lynis - A security auditing tool for systems running Linux, macOS, or Unix-based operating system

Personal Security Tools

  • Password Managers
    • 1Password - A password manager and secure vault platform for identities, credentials, and secrets across humans and AI agents
    • pass - The standard unix password manager
    • gokey - A simple vaultless password manager in Go
    • Buttercup - A free, open-source and cross-platform password manager