this handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls.  It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations. The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls.  It does not describe detailed steps necessary to implement a computer security program,provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems.  General references are provided at teh end of this chapter, and references of \“how-to\” books and articls are provided at the end of each chapter in Part II, II, and IV. the purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate.  SOme requirements for federal systems are noted in the text.  Thsi document provides advice and guidance; no penaltie are stipulated.

the database Language SQL (SQL) is a widely used language for accessing and manipulating relational databases. Assuch, SQL can be of use in many different operational environments, with correspondingly different needs for security.  One specific application of this standard is in Product Data Exchange using STEp (PDES).[PDE93a] This paperexamines the security implications of the versions of the SQL standard as used to implement STEP.  STEP does not imply any particular security policy, so a variety of security policies are examined.  The paper has been written as a companion document to NIST\‘s general SQL security document, Security ISSUES in the Database Language SQL [PB93], and references that document frequently.

This is the report of the Invitational Workshop on Public key Infrastructure, which was jointly sponsored by the National Institute of Standards and Technology (NIST), the Security Infrastructure Program Management Office (SI-PMO) and the MITRE Corporation.  A public key infrastructure provides a means for issuing and managing public key certificates, which may be used to provide security services, such as authentication, integrity, confidentiality and non-repudiation, between strangers who have no previous knowledge of each other.  Papers were presented on the current state of technology and standards for a Public Key Infrastructure, management and technical issues, escrowing keys used for confidentiality exchanges, and cost models.

We rely on programs that consume audit logs to do so successfully (a robustness issue) and form the correct interpretations of the input (a semantic issue). The vendor’s documentation of the log format is an important part of the specification for any log consumer. As a specification, it is subject to improvement using formal specification techniques. This work presents a methodology for formalizing and refining the description of an audit log to improve robustness and semantic accuracy of programs that use the log. Ideally applied during design of a new format, the methodology is also profitably applied to existing log formats. Its application to Solaris BSM (an existing, commercial format) demonstrated utility by detecting ambiguities or errors of several types in the documentation or implementation of BSM logging, and identifying opportunities to improve the content of the logs. The products of this work are the methodology itself for use in refining other log formats and their consumers, and an annotated, machine-readable grammar for Solaris BSM that can be used by the community to quickly construct applications that consume BSM logs.