Term Description
Main distinction between an event and an incident

Events are anything that can occur in the IT environment, while incidents are unscheduled events.

This is the textbook definition of an incident versus event. However, this question is not easy, because many sources in the IT security field define incidents differently: It’s common to think of incidents as events that have an adverse impact, or incidents are something that require response. 

ISO/IEC 27034

ISO/IEC 27034 Application Security Controls offers guidance on information security to those specifying, designing and programming or procuring, implementing and using application systems, in other words business and IT managers, developers and auditors, and ultimately the end-users of ICT. The aim is to ensure that computer applications deliver the desired or necessary level of security in support of the organization’s Information Security Management System, adequately addressing many ICT security risks.

NIST 500-299

NIST Cloud Computing Security Reference Architecture

The purpose of this document is to define a NIST Cloud Computing Security Reference Architecture (NCC-SRA)--a framework that:
1. Identifies a core set of Security Components that can be implemented in a Cloud Ecosystem to secure the environment, the operations, and the data migrated to the cloud;
2. Provides, for each Cloud Actor, the core set of Security Components that fall under their responsibilities depending on the deployment and service models;
3. Defines a security-centric formal architectural model that adds a security layer to the current NIST SP 500-292, "NIST Cloud Computing Reference Architecture"; and
4. Provides several approaches for analyzing the collected and aggregated data.

Secure Design and Development

1. Training
- Secure Coding Practices
- Writing Security Tests
- Provider/Platform Technical Training

2. Define
- Code Standards
- Security Functional Requirements

3. Design
- Threat Modeling
- Secure Design

4. Develop
- Code Review
- Unit Testing
- Static Analysis
- Dynamic Analysis

5. Test
- Vulnerability Assessment
- Dynamic Analysis
- Functional Tests
- QA

Immutable Infrastructure

An immutable infrastructure is an infrastructure paradigm in which servers are never modified after they're deployed. If something needs to be updated, fixed, or modified in any way, new servers built from a common image with the appropriate changes are provisioned to replace the old ones. After they're validated, they're put into use and the old ones are decommissioned. 

SAST vs DAST Testing Coverage

SAST Only:
- Null pointer dereference
- Threading issues
- Code quality issues
- Issues in dead code
- Insecure crypto functions
- Issues in back-end application code
- Complex injection issues
- Issues in non-web app code

 DAST Only:
- Environment configuration issues
- Patch level issues
- Runtime privileges issues
- Authentication issues
- Protocol Parser Issues
- Session management Issues
- Issues in 3rd party web components
- Malware analysis

- SQL injections
- Cross-site scripting
- HTTP Response Splitting
- OS Commanding
- LDAP injection
- XPATH injection
- Path traversal
- Buffer overflows
- Format String Issues

CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 for Kindle

Original Publication:
Original Document:

The issue with Original Document, is that it's not very Kindle compatible and is very hard on eyes. Document below has improved contrast and is easier to read.

Kindle-Compatible PDF:

File in DOCX format:

Role of the System Owner during the accreditation process

System Owner selects and documents the security controls for the system.
The system owner specifies the information security controls for the system being deployed based on functional requirements from the information owner.

Risk Profile

An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile to allow the reader to understand its context and intent. Common guiding principles include the following:

1. Ensure availability of key business processes including associated data and capabilities.

2. Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.

3. Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.

4. Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

Changeover Techniques

- Parallel changeover requires that both old and new systems operate fully for a specified period. When users, management and the IT group are satisfied that the new system operates correctly, the old system is retired. This approach entails very low risk. If the new system does not work correctly, the organization can revert to the old system as a backup.

- Abrupt changeover occurs when users are converted from the old to the new system immediately upon its operational availability. This approach is usually least expensive but involves high risk of data loss and system failure. With this approach, the organization cannot revert to the old system as a backup.

- Phased changeover involves modular implementation and simultaneous operation of discrete system components or modules. It is extremely complex to coordinate, particularly with regard to consistency of data across multiple systems or locations. However, this approach retains the possibility to revert to a previous state.