Questions tagged [nist]
Abreviation for National Institute of Standards and Technology. A USA government institution which publishes standards, most notably the FIPS 140-2 standard for cryptographic modules.
79
questions
5
votes
2
answers
2k
views
How do I decide which security framework is most suited to my organization?
There are many IT security frameworks/standards/regulations/etc to chose from, each with their own pros and cons. For example, IS0 27000 series, NIST CSF, NIST RMF, PCI-DSS, etc. My question is, is ...
0
votes
1
answer
595
views
CVSS v3 and v3.1 Missing temporal metrics (Exploit Code Maturity and Remediation Level) in all CVEs using NVD API
I have been working with the NIST - NVD API v2 and I have noticed that the temporal metrics "remediationLevelType" and "exploitCodeMaturityType" are missing in ALL CVEs that I have ...
1
vote
0
answers
323
views
Different results for CPE search on NVD
I usually stick to finding the right CPE candidate for product-version I am interested in by using the Search Vulnerability Database with Search Type selected as Advanced and then narrowing down from ...
1
vote
2
answers
119
views
any security baseline reference we can use? paid or free
We are looking to provide our Devs and Ops with minimal security baseline requirements - reference materials that they should follow during coding/implementation/etc.
Maybe requirements based on NIST ...
16
votes
4
answers
4k
views
Should one reject login attempts when the correct password is newly added to a password deny list?
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be ...
1
vote
0
answers
29
views
Do comparable standards like FIPS exist for Germany or the European Union? [duplicate]
NIST, the National Institute of Standards and Technology, does publish FIPS, the Federal Information Processing Standards Publications.
Does Germany or the European Union have their own standards?
Or ...
0
votes
1
answer
1k
views
Why is there an ASN1 OID and a NIST CURVE reference for the same curve?
$ openssl ecparam -in param-ec.pem -text -noout
ASN1 OID: secp384r1
NIST CURVE: P-384
The file param-ec.pem indicates the curve is P-384, also known as secp384r1.
In the same way:
secp521r1 = P-521 ...
1
vote
0
answers
83
views
Should vendors add their CPEs in the log4j NIST entry?
Software that has packaged a vulnerable version of the log4j library is considered vulnerable to CVE-2021-44228 or "log4shell". When I look at the NIST definition I can see that the ...
0
votes
1
answer
213
views
Verifying that a TLS server supports the PSK-Modes Extension?
I am trying to verify if a TLS Server is configured according to the guidelines specified in NIST SP 800-52.
One rule stated is the following:
TLS servers that support TLS 1.3 and the Pre-Shared Key ...
0
votes
2
answers
289
views
What are the differences between "identifying threats and vulnerabilities" and "risk management"?
I am struggling to appreciate the differences between the 7 steps of the NIST Framework for Improving Critical Infrastructure, which should help an organisation implement it.
Step 1: Prioritize and ...
3
votes
2
answers
195
views
Incident Response and when to consider an incident resolved
I am currently making amendments to an IR process and the topic of incident closure has come up. The organisation follows NIST and therefore their IR process has four phases:
Preparation
Detection &...
0
votes
1
answer
109
views
What is the NIST/FIPS publication process? How long does it usually take for drafts to become final?
I'm specifically concerned with EdDSA being made FIPS compliant, which I realize might take longer with the concerns raised with ECDSA, but I'm curious what the process actually is.
Is it all internal ...
25
votes
6
answers
8k
views
Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features?
Context
NIST SP 800-63b gives the following guidance for password forms (aka login pages):
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This ...
1
vote
1
answer
193
views
Is there a documented security standard that forbids or discourages rolling your own crypto?
Is there any security standard published by NIST or another reputed body in information security that explicitly forbids or discourages rolling your own crypto? If yes, would you please post the ...
2
votes
1
answer
202
views
How to tell if Microsoft office has been patched for a vulnerability?
The NIST database holds records for Microsoft Office vulnerabilities, however it only lists the application (i.e. Word 2016) and the service pack. Microsoft release hotfixes outside of service packs, ...