Green Pace

[Audio] Hello everyone Welcome to my presentation..

[Audio] Security Policies: "define what is required of an organization's employees from a security perspective" (Dunham, 2020) "support an organization's legal and ethical responsibilities" (Dunham, 2020) "hold individuals accountable for compliance with expected behaviors with regard to information security" (Dunham, 2020) Supports Defense in Depth by creating layers of security in which if one fails, others can take its place.

[Audio] STD-001-CPP – Choose appropriate types of integers. Choose the most appropriate type of integer needed for a variable. Integer types provide a "finite subset of the mathematical set of integers" based on the specific type of integer. Using an incorrectly sized integer variable can cause a buffer overflow or numerical overflow (wraparound) and lead to exploitable vulnerabilities or undefined behavior (Seacord, 2013, pp 87-113). STD-002-CPP – Ensure operations on signed integers do not wrap. Operations on signed integers should not wrap. As seen in standard STD-001-CPP, the data type can be updated to an unsigned integer which will help prevent wrap in some cases but not all. Prior to executing a mathematical operation on a signed integer, code should check for a potential overflow and act accordingly (Software Engineering Institute, 2006). STD-003-CPP – Ensure that strings have enough storage space for the character data and a null terminator. Data inserted or copied into an insufficiently sized buffer may result in a buffer overflow. Strings should be either truncated or measures should be in place to ensure sufficient space is available prior to assigning a value (Software Engineering Institute, 2008). STD-004-CPP – Prevent SQL injection. SQL queries can be maliciously altered, if not sanitized and validated, resulting in information leaks and/or data modification. Stored procedures are the primary defense against SQL injection as no raw SQL string is being sent across the network. Parameterized queries should be used when an application is writing raw queries itself (Software Engineering Institute, 2009). STD-005-CPP – Do not access memory that has already been freed. Avoid creating or using dangling pointers. Dangling pointers are pointers to memory that has been freed or deallocated by a memory management function. Dangling pointers can lead to unexpected behavior and result in vulnerabilities that can be exploited by a hacker (Software Engineering Institute, 2008) STD-006-CPP – Use assertions liberally throughout the code. Assert statements can catch bugs early and make debugging easier and quicker. Assertions should include a descriptive error message that is printed if the assert statement fails. This will help with debugging in being able to identify where the build failed and under what conditions (LLVM, 2003). STD-007-CPP – Handle all exceptions. Catching all errors using the catch(…) must not be used without reason or proper error handling within the catch statement. This is otherwise considered "error hiding" and can cause unforeseen problems as the source of the error is not fixed or known. STD-008-CPP – Do not read uninitialized variables. Variables of type T must be initialized before being read. Attempting to read an uninitialized variable can result in a coding error and vulnerability. This happens because the variable can be removed during compilation as part of the compiler's optimizations (Software Engineering Institute, 2008) STD-009-CPP – Do not store an already owned pointer into an unrelated smart pointer. Smart pointers enclose a regular pointer and automatically manage its memory allocation via internal constructor and destructor methods in the smart pointer classes. STD-010-CPP - Do not create strings from null pointers. Passing a null pointer to some of the underlying methods in the string class can result in undefined behavior (Software Engineering Institute, 2014)..

[Audio] These are the 10 principes at which are currently uses as input data..

[Audio] All coding structures have a code standard they fallow by as you can see. STD-001-CPP – Select integer types that match the required range and usage context STD-002-CPP – Prevent signed integer overflow during arithmetic operations STD-003-CPP – Allocate sufficient space for strings, including null terminators STD-004-CPP – Sanitize inputs to eliminate SQL injection vulnerabilities STD-005-CPP – Avoid accessing memory after it has been deallocated STD-006-CPP – Use assertions to validate assumptions and catch logic errors early STD-007-CPP – Ensure all exceptions are properly caught and handled STD-008-CPP – Initialize variables before use to prevent undefined behavior STD-009-CPP – Do not assign raw pointers to unrelated smart pointer types STD-010-CPP – Avoid constructing strings from null pointer values.

[Audio] Data storage on disk should be encrypted before saving to prevent access by other users or systems. In flight, data should be sent through secure encrypted channels like HTTPS. In use, a user's password should be stored as a hashed password, verified via a hashed password, to prevent unauthorized access..

[Audio] Authentication involves user logins using credentials like usernames, passwords, or biometrics. Authorization determines user access to specific parts of a system or program. Multiple authorization frameworks can be used within the same program. Accounting involves recording user actions throughout the system to identify if they need more or less authorization or if they are a malicious actor. This policy applies to all system actions from login to exit..

[Audio] Unit Testing Overviews have serval processor they have to fallow by as well some here are. • CollectionSmartPointer is not null. • Empty on Create. • Can add to empty vector. • Maximum and capacity are greater than or equal to size. • Resizing increases or decreases collection.

[Audio] Unit Testing Overview • Resizing Collection to Zero. • Clear and Erase Collection. • Reserve Increases Capacity, Not Size. • Throws OutOfRangeException with Index Out of Bounds. • Front Returns First Collection Elements. • Resize Throws Exception When Length Exceeds MaxSize.

[Audio] This is a demonstration used for production and pre-production and how it all ties into each other..

[Audio] The DevSecOps Pipeline Overview has a few feature that helps with the process as in. • Design phase: Utilizes static analysis tools and built-in IDE tools. • Build phase: Uses static analysis tools and compiler. • Verify and test: Automated analysis and testing tools run after each build..

[Audio] The policy should be applied to every phase of the DevSecOps pipeline..

[Audio] Some recommendations can help with better results..

[Audio] My thought on Understanding hacker motivations is essential for effective threat modeling. By following established security standards and referencing frameworks like Madarie (2017), teams can anticipate attacker behavior. Aligning these motivations with the specific application type ensures defenses are context-aware and strategically focused..

REFERENCES. Madarie, R. (2017) – Hackers’ Motivations: Testing Schwartz’s Theory of Motivational Types of Values in a Sample of Hackers. International Journal of Cyber Criminology, 11(1), 78–97. https://banglatechinfo.com/hackers-motivations-exploring-schwartzs-theory-of-motivational-types-in-cybercriminals/ Cayubit, R. F. O., et al. (2017) – A Cyber Phenomenon: A Q-Analysis on the Motivation of Computer Hackers. Psychological Studies, 62, 386–394. https://link.springer.com/article/10.1007/s12646-017-0423-9 Ablon, L. (2018) – Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data. RAND Corporation testimony before the U.S. House Financial Services Committee. https://www.rand.org/pubs/testimonies/CT490.html#:~:text=Testimony%20presented%20before%20the%20House%20Financial%20Services%20Committee%2C,publication%20is%20part%20of%20the%20RAND%20testimony%20series..