TABLE OF CONTENTS Mitigation is actively interfering with an already conceived process by which an exposure can be removed, handled, or avoided through such interference. While not using a technology because a security risk may be considered passive mitigation, the exposure isn't in existence within the application, and for definition purposes, mitigation will refer to direct active involvement by some method to secure the exposure.
Passive mitigation is for technologies we choose not to use because of their exposures, or using a technology that we use because it doesn't have those exposures. Active mitigation is placing processes that control and stop exposures from occurring or adding to the risk of exploitation.
Technically, all application-level exposures can be mitigated. However, the massive resources required and performance loss generally leaves new and old technologies discarded. Often, in software, some exposures remain that are not of a high risk. From the perspective of this book, we consider that the developers and designers study and know about exposures that exist. Thus, the way those exposures change the risk of the application can be determined.
Here are the classifications of exposures and some sure ways to mitigate those exposures. The exposures are listed in no specific order. The purpose of this chapter is to outline some exposures that we will look for within the hardware devices. We will show that these map directly and apply when we audit some hardware.
If you are aware of the type of exposure and how it works, you...
