Content Types in Team Mentor

Looking at the various guidance types currently available in Team Mentor, I noticed some inconsistencies.  I spent some time consolidating guidance types and creating a definition for each one. If articles fall into a well defined type it would become easier to navigate Team Mentor content and quickly find relevant information as well as generate new content. Here are the content types and their definitions I came up with:

Principles-

  • Top level nodes of security practice.
  • Provide ether technical or non-technical high level description of a concept.
  • Apply to multiple contexts, environments and technologies.
  • Describe what should be done but do not outline how.
  • Are not practical standing on their own, they need to be interpreted and applied to a particular context through use of one or more guidelines.

Examples are:

  • Description of security program, process or procedure
  • Universally adopted policy
  • Industry best practice
  • High level architecture

Links to and from this article:

  • Guideline(s) that outline implementation of this principle.

TESTS – It can be a principal if it:

  • Does not mandate use of a specific technology.
  • Does not provide a specific remedy or set of instructions.
  • Can be applied universally.
  • One or more guideline is derived from it.

Guidelines-

  • Describe practical implementation of a principle or its part.
  • Ether technological or people process solutions that tie to a specific context, phase and scenario.
  • Provide proven, specific set of instructions to solve a real world problem without need to consult anything else.
  • Contain what should be done and why, outline how and state when.
  • Often contain problem and solution examples, code snippets or configuration commands.

Examples are:

  • Specific software architecture and implementation instructions
  • Specific infrastructure design
  • Specific process descriptions and procedures.

Links to and from this article:

  • How-to(s) that can be used as additional information to implement the guideline
  • Checklist that is used to validate the implementation of this guideline
  • Principle that this guideline outlines implementation for principle
  • Vulnerability(s) that this guideline will mitigate if followed

TESTS – It can be a guideline if it:

  • Describes a complete solution without need to do further research.
  • Provides specific information on specific subject.
  • Describes specific technology or a process
  • Is derived from a principle
  • Tells what to do when and why, (passes the “What do I do now?” test)

How-To-

  • A step by step instruction on solving a specific technical problem or implementing a people process. It can provide directions on one of the following:
  • Difficult to implement part of a guideline or a whole guideline.
  • Detailed, specific execution steps to exploit or test for a vulnerability
  • Implementing a people process in a division of an organization.

Examples are:

  • Explanation on how to:
  • Build a code review process into Waterfall SDLC model.
  • Execute a Cross Site Scripting attack on a site with no input validation.
  • Implement an audit process for DMZ systems that store credit cards.
  • Configure a Cisco Nexus 7000 switch for multiple contexts.
  • Implement an input validation algorithm in a Java class that only accepts letters and numbers.

Links to and from this article:

  • Guideline  that this how-to provides specific information for
    Vulnerability that this how-to provides exploit or test instructions for

TESTS – It can be a How-To if it:

  • Can be followed like a GPS direction to achieve desired result.

Code Example-

  • Handy, reusable, code snippet, script or configuration file extract, showing exact technical implementation of a challenging problem.
  • Coded and tested with specific, documented language or software version.
  • Can be inserted into production code with minimal changes.
  • Is ether standalone or referenced by a guideline or a how-to.

Examples are:

  • Java  code tested in Java 6.26 for generating an RSA key pair
  • Apache httpd.conf file exurb showing correct SSL configuration

Links to and from this article:

  • How-To  / Guideline that make use of this Code Example
  • Can be standalone

TESTS – It can be a Code Example if it:

  • Provides specific technical implementation in a particular language version.  OR
  • Provides specific configuration file exurb from a particular software.
  • Passes “Can I cut and paste this?” test
  • Implements a difficult problem
  • Is NOT something normally found in a student textbook.

Checklist Item-

  • A single statement that is a component of a checklist.
  • Checklist, in a form of a true/false statements, verify correct implementation of a guideline
  • Used as an assessment mechanism for level of compliance.
  • There is a 1 to 1 relationship between a checklist and a guideline.
  • Checklists can be aggregated to validate a principle.

Examples are:

  • Credit Card information encrypted at rest.
  • Data owner identified for customer data.
  • Data classification scheme in the organization.
  • Web service protected by certificate based authentication.

Links to and from this article:

  • Guideline that this checklist verifies
  • Vulnerability that this checklist check for (by checking compliance with the supporting guideline

TESTS – It can be a Checklist Item if it:

  • It is a true false statement form.
  • Verifies implementation of a specific portion of a guideline
  • Can be combined with multiple checklist items into a checklist that validates exactly one guideline.
  • Produces consistent answers if completed by different individuals.

Question and Answer-

  • Element of FAQ list, which is a list of questions asked most frequently by users.
  • The Question is very specific, short and straight to the point. .
  • Answers will point to a section of the principle, guideline or a how-to for the answer.
  • Can be a question for which no article exist yet, in this case the answer would be the beginning of a newly created article.
  • Is a catch-all for items which have no other content.

Examples are:

  • What is the best way to store login string information in .Net ?
  • Should developers have access to production?
  • What would be tomorrow’s winning lottery numbers(This would need a new article)

Links to and from this article:

  • Specific section of a  Guideline/Principle/How-To  that answers the question

TESTS – It can be a Question and Answer if it:

  • The question is specific and represents a particular issue at hand.
  • The question is relevant to a technology or a process
  • The answer can point to a guideline, principle or a how-to, or be the beginning of a new one.

Vulnerability-

  • Describes potential weakness in some aspect of an application, infrastructure or people process that could be used to compromise the system.
  • If exploited, will lead to compromise of confidentiality, integrity or availability of data or systems.
  • Vulnerability description contains:
  • Detailed technical overview of the vulnerability
  • Business and technical impact if unfixed.  Factors that increase or decrease the impact.
  • Specific code/design/process anti-patterns that would lead to this vulnerability.
  • Mitigating controls and countermeasures that can be used to remediate the vulnerability
  • Can be ether technology specific or technology neutral.
  • Collection of one or more vulnerabilities in combination with a threat is a RISK.

Examples are:

  • Cross Site Scripting.
  • Incorrect file permissions.
  • Unlocked fire escape door.

Links to and from this article:

  • Guideline(s) used to avoid the vulnerability
  • Checklist(s) that check for presence of the vulnerability (by checking compliance with the supporting guideline)
  • Attack(s) that explain how to exploit the vulnerability
  • How-to(s) that explain how to test for presence of the vulnerability

TESTS – It can be a Vulnerability if it:

  • Describes specific weakness in application, system or process.
  • Can be exploited, leading to negative consequences

Attack-

  • Describes high level actions needed to exploit one or more vulnerabilities, in a particular context, leading to a system compromise
  • Can describe an orchestration that executes multiple attacks as one.
  • Refers to specific how-to article(s) for step by step instructions on exploiting vulnerability(s)

Examples are:

  • Man in The Middle
  • War Dialing
  • BEAST Attack
  • Dictionary Attack

Links to and from this article:

  • Vulnerability(s) this attack is exploiting.
  • How-to(s) that explain how to exploit the vulnerability this attack is using.

TESTS – It can be an Attack if it:

  • Describes what vulnerabilities need to be exploited to compromise a system.
  • Does not contain specific execution instructions, but has references to a how-to that does.
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s