How vulnerability assessment is different for application and infrastructure?

I am working for a company where vulnerability assessment for infrastructure and applications are being done by different vendors. Sometimes I get confused that assessment should happen on the infrastructure or application side.

E.g. xyz application is hosted on Windows 10.

Should I consider it vulnerability assessment on the infrastructure side or application side?

“Episode Boss” encounter balance assessment

I am creating a boss battle for the end of an episode in my campaign using the following homebrew monsters:

Knight Zombie

AC 16 (chainmail) HP 28
STR 13 DEX 15 CON 10 INT 7 WIS 10 CHA 6
Immunities: Poison, Charm, Exhaustion
Attack: Longsword +3 to hit, 1d8+1 damage
CR: 1/2 (100 xp)

Necromancer

AC 14 (mage armor) HP 25
STR 11 DEX 13 CON 11 INT 13 WIS 9 CHA 11
Attack: Quarterstaff Hit:+3, Damage:1H – 1d6, 2H – 1d8
Spells: True strike, Chill touch, Mage Hand, Fire bolt, Magic Missile, Mage Armor, False Life, Blindness, Ray of enfeeblement, Animate dead
Spell save: 14; +4 to hit with spell attacks
Spell slots Available: 3 first and 2 second
CR: 1 (200 xp)

Encounter Stats

Party: 4 level 3 – Ranger, Paladin, Sorcerer, and Fighter
Monsters: 4 Knight Zombies, 1 Necromancer
Encounter CR: 4 (1,000 challenge XP)
Expected Difficulty: Hard, a reasonable expectation to survive but a chance of character death

The Question

Have I correctly assessed the CR of the monsters and encounter?

Improving Lie Detection and Credibility Assessment Rules

Many systems have two or more skills/traits/other numeric values that can be pitted against each other in situations where side A tries to assess side B’s credibility, where side B may or may not be lying. Among many systems, these skills/traits/values may carry such names as Empathy/Kinesics/Body Language/Detect Lies/etc. and Subterfuge/Acting/Deception/etc. respectively.

Most of the RP-immersion-oriented/associative/character-stance systems I’ve seen use those two values in an opposed roll of some sort. Usually, if A wins, the referee tells A’s player whether B appears to be lying or not. If B wins, no such information is given. For the purposes of the question, how the ‘win’ is determined is of little concern: some systems count the number of successes scored, some compare margins of success and failure, some have other methods. The point is that in the end of a roll-off, one of the participating characters is deemed the winner. (Also, for the sake of simplicity, let’s not consider ties and critical victories/losses/successes/failures.)

This works OK even with open rolls during some sort of hostile negotiation, where B is already assumed to be interested in concealing some information, and it’s more a matter of where B tries to mislead A.

However, the above framework breaks down if B is telling the truth and wants to convince A, since in that case suddenly B is interested in having a low trait (or foregoing the roll entirely, if permitted), thus allowing A’s lie-detection ability to inform A of the truthfulness involved.

Not only does this produce perverse incentives, but if foregoing a roll is permitted (including by deliberately failing, making A the automatic or near-guaranteed winner), it also results meta hints: a target that doesn’t resist lie detection is immediately more trustworthy, while one which does is immediately suspicious to the player even if the character doesn’t know the difference. These factors mean that the mechanic is hostile to attempts to build/play an honest-looking good liar.

I’m looking for an alternative approach to using such skills that can be either used when making a system from scratch, or for houseruling the procedure for making such skills (or similar traits) in systems that use them. These are the improvements I’m seeking and the pitfalls I’m trying to avoid:

  • Minimise perverse incentives (essential), even if one cannot actually follow them after character creation.
  • Minimise possibilities and temptations for metagame ways of figuring out whether a character is lying (essential).
  • Avoid increasing requirements for the amount of secret rolls (if possible). In general, making B’s roll secret is more acceptable than A’s roll, but keep in mind that in the default interpretation above, secrecy of B by itself doesn’t solve the prior two issues.
  • Avoid excessive complexity (if possible), such as having too many rolls for obfuscation purposes.

Does a design pattern exist for resolving lie detection roll-offs in a way that addresses the above concerns?

SPARQL Aware Security Assessment Tool [on hold]

What are the best vulnerability scanners for an RDF database that uses SPARQL? I like the credentialed scanning in Nessus, but the results are not very valuable, I think because it does not know what to do with the DB. I am trying the WMAP module in Metasploit, but do not have much faith in it. I feel like the market for graph databases is only now gaining traction, so is there anything even available for assessments?

How can I run SQL Server Vulnerability Assessment from a SQL Job?

I want to run SQL Server Vulnerability Assessment from a SQL Server Agent Job. Currently, I am attempting a job with a PowerShell script and am running a command like the one below.

Invoke-SqlVulnerabilityAssessmentScan -ServerInstance $  (ESCAPE_DQUOTE(SRVR)) -Database AdventureWorks 

I have confirmed that Invoke-SqlVulnerabilityAssessmentScan is available on the SQL Server (I can run it from the PowerShell command prompt there), but when I run my job, I receive an error stating that

The term ‘Invoke-SqlVulnerabilityAssessmentScan’ is not recognized as the name of a cmdlet

After looking at this Microsoft article, I am wondering if SQL Agent only has a subset of PowerShell cmdlets that it can access.

How can I run the vulnerability assessment scan from a SQL Job?

What are some things to consider when making a secure assessment system?

As a programmer, I have typically worked on projects where a lot of the security was baked in or it was not as crucial as the software was for private use. However, I am working on a project that takes users’ answers and calculates a score that will be available to the public and I’m worried about vulnerabilities in the code that I haven’t thought of. I’m using a React frontend and an Express backend, and I simply validate and send the input via POST (with axios), process it on the backend, save it to a MongoDB database, and send the link to a given email address.

What are some of the things I should watch out for and proof against? One such scenario I’ve thought of is users spamming the system and filling up the database with bogus answers, but I don’t know how I would be able to tell the bogus answers apart from the real answers logically and I don’t want to force the user to make an account.

Methodologies to conduct technical IT risk assessment

In the picture below (screenshot from a pluralsight course on ISO 27005), we can see that “IT risk technology” is not “Information Risk”. The latter is broader. For information risk, methodologies I know are COBIT, MEHARI, EBIOS, OCTAVE, etc….

I was wondering what would the the same for “IT Risk technology” ? Would you just say penetration testing and code review are the methodologies at this level ?

Apple Keychain Security Risk Assessment

What security measures has Apple taken to minimize security risk with respect to the Apple Keychain password manager?

I enjoy the capability of the password management across OSX and IOS devices, however, I would like to understand the mechanism so I can assess vulnerability risk. Ultimately, I would like to understand Keychain risk and steps that I can take to mitigate risk

create a sharepoint 2010 workflow to create a new list item from in intake form library to a assessment form library

I have an intake form ( in a form library) that once submitted kicks off a SharePoint designer (2010) work flow to create a new list item. It creates a new item in my ‘assessment’ form library.

Issue: the workflow works – an item is created, but i have an error that my new item created cannot read the retrieve data connections that I have. This new assessment form has information pulled in from external tables.

Is there a way to get this to work. The goal would be to have Intake #1 submitted by the end user and then corresponding Assessment #1 created and the end user would go to that item and complete the information.