Category: Security

Security

Cybersecurity Frameworks & Standards: Quick Reference

Manjunath

Use this cheat sheet to quickly match popular cybersecurity frameworks and regulations to the industries that rely on them. Each entry includes a short description to help you pick the right control set for audits, assessments, or roadmap planning.

At a Glance

Cybersecurity Frameworks & Standards Cheat Sheet
Framework / Standard Primary Industry / Sector Brief Description
ISO 27001 Finance, healthcare, IT, government International standard for establishing, implementing, maintaining, and continually improving an ISMS (information security management system).
NIST Cybersecurity Framework (NIST CSF) Critical infrastructure (energy, healthcare, finance, transportation) Risk-based guidance organized around Identify, Protect, Detect, Respond, and Recover functions.
HIPAA Healthcare providers, health plans, clearinghouses U.S. regulation protecting the privacy and security of protected health information (PHI).
PCI DSS Merchants, financial institutions, payment processors Security standard for safeguarding cardholder data and reducing payment card fraud.
GDPR Any organization handling EU residents’ personal data EU regulation granting data privacy rights and setting obligations for data controllers and processors.
CIS Controls Organizations of all sizes and sectors Prioritized set of practical security controls to defend against common cyberattacks.
HITRUST CSF Healthcare organizations and business associates Certifiable framework that harmonizes requirements from HIPAA, NIST, ISO, and others.
COBIT All industries IT governance and management framework aligning technology with business objectives.
NERC CIP Electric utilities, power generation companies Standards for protecting the bulk electric system in North America.
FISMA U.S. federal agencies and contractors U.S. law requiring comprehensive information security programs for federal information and systems.
SOC 2 SaaS providers, managed service providers, data centers, cloud platforms Attestation report evaluating controls against Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
CCPA Businesses collecting personal information from California residents California law providing consumer data privacy rights and business obligations.
CISA Telecoms Framework U.S. telecommunications providers Guidance and best practices for securing telecommunications infrastructure and services.
NIST SP 800-53 U.S. federal agencies and organizations Catalog of security and privacy controls for federal information systems and organizations.
NIST SP 800-171 Non-federal organizations handling CUI Requirements to protect controlled unclassified information (CUI) for the U.S. government.
UK Telecoms (Security) Act 2021 Telecommunications companies operating in the United Kingdom Legal obligations to strengthen security and resilience of UK telecom networks.

How to Use This Cheat Sheet

  • General maturity: Start with ISO 27001 or NIST CSF for a broad security program.
  • Industry specifics: Apply HIPAA/HITRUST for healthcare, PCI DSS for payments, and NERC CIP for energy.
  • Privacy: Map your data practices to GDPR and CCPA obligations.
  • Cloud & services: Use SOC 2 to demonstrate assurance to customers and partners.

Notes & Caveats

  • Frameworks are complementary—organizations often implement more than one.
  • Scope and applicability depend on your data types, geography, and contractual obligations.
  • Always consult current official documentation before audits or certifications.

Last updated: August 2025.

Nutshell Series, Security

🔐 Common Security Testing Terminologies

Manjunath
Term Full Form Purpose Category
SAST Static Application Security Testing Analyzes code or binaries to find vulnerabilities before runtime. Static
Secure Code Review Manual or automated inspection of code for security flaws. Static
DAST Dynamic Application Security Testing Simulates attacks on a running application to find security issues. Dynamic
Fuzzing Fuzz Testing Sends malformed or random data to discover crashes and bugs. Dynamic
Pen Testing Penetration Testing Ethical hacking to uncover and exploit real-world vulnerabilities. Dynamic
IAST Interactive Application Security Testing Combines SAST and DAST with real-time analysis via instrumentation. Hybrid
RASP Runtime Application Self-Protection Monitors and protects applications in real-time during execution. Hybrid
SCA Software Composition Analysis Identifies vulnerabilities in open-source and third-party components. Component-based
VAPT Vulnerability Assessment and Penetration Testing Combines scanning and exploitation to assess security posture. Operational
Threat Modeling Identifies and prioritizes threats early in the development lifecycle. Operational
Bug Bounty Rewards external security researchers for responsibly reporting vulnerabilities. Operational
Nutshell Series, Security

🧾 SAST vs DAST Comparison

Manjunath
Feature SAST (Static Application Security Testing) DAST (Dynamic Application Security Testing)
Testing Type White-box Black-box
Access to Code Required (analyzes source code or binaries) Not required (tests from outside the app)
When Used Early in SDLC (during coding/build phase) Later in SDLC (during or after deployment)
What It Tests Source code, bytecode, or binaries Running application, web interfaces, APIs
Finds Code-level issues (e.g., SQL injection, secrets) Runtime issues (e.g., logic flaws, auth problems)
False Positives Higher (due to theoretical analysis) Lower (based on real execution)
Speed Fast (no need to run the app) Slower (requires deployed app and interactions)
Tool Examples SonarQube, Checkmarx, Fortify OWASP ZAP, Burp Suite, Acunetix
Language Dependency Language-specific Language-agnostic
Use Case Secure code review, CI/CD integration Real-world attack simulation, post-deployment testing
Security

How to Remove the AEAD Flag in GPG and Verify Changes

Manjunath

GPG (GNU Privacy Guard) is a powerful encryption tool that provides secure communication and file encryption. If you want to remove the AEAD (Authenticated Encryption with Associated Data) flag from your GPG key preferences, follow the steps below. We will also include commands to save your changes and verify the updated preferences.

Step 1: Access Key Preferences

To begin, you need to edit the specific GPG keys where you want to update the preferences.

Use the following command to open the key in expert editing mode:

gpg --expert --edit-key <key_id>

Replace <key_id> with the actual key ID of your GPG key. For example:

gpg --expert --edit-key ******************************

Step 2: View Current Preferences

Once inside the GPG key editing interface, you can view the current preferences by typing:

showpref

This will display the algorithms and preferences currently set for the key. Review them to confirm the presence of the AEAD flag or any settings you want to change.

Step 3: Update Key Preferences

To update the preferences and remove the AEAD flag, use the setpref command with your desired configuration. For example:

setpref AES256 AES192 AES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP

This command updates the preferences to include specific encryption algorithms, hashing algorithms, and compression methods. Ensure you list only the options you wish to use.

Step 4: Save Changes

After updating the preferences, save the changes by typing:

save

This will exit the key editing interface and apply the updates to the GPG key.

Step 5: Verify Changes

To verify that the preferences have been updated correctly, use the following command to list your keys:

gpg --list-keys

Locate the relevant key in the output and confirm that the preferences match your updated configuration. You can also re-enter the key editing interface and use the showpref command to confirm:

gpg --expert --edit-key <key_id>
showpref

This ensures that the AEAD flag has been successfully removed and your desired preferences are in place.

Conclusion

By following these steps, you can effectively remove the AEAD flag from your GPG key preferences and verify that the changes have been applied. Properly managing your encryption settings ensures that your communications and data remain secure and compatible with your requirements.

AI, ML, Security

The Rise of AI Operating Systems and Machine Learning: A Look at Responsible AI and Security

Manjunath

Artificial Intelligence (AI) and Machine Learning (ML) are reshaping how we interact with technology. As AI models grow more sophisticated, there is an increasing interest in AI operating systems (AI OS)—a new breed of platforms designed to manage and optimize AI resources efficiently. With the proliferation of AI-driven applications, the importance of responsible AI and security has also come to the forefront. In this blog, we’ll dive into AI OS, the role of ML, and the critical concepts of responsible AI and security.

Understanding AI Operating Systems

An AI Operating System is a specialized software platform that facilitates the efficient execution, management, and optimization of AI workloads. Unlike traditional operating systems designed to manage conventional computing resources, AI OS caters specifically to the unique needs of AI models, such as rapid training, real-time inferencing, and dynamic data handling.

Some key components of an AI OS include:

  • Resource Optimization: AI OS efficiently allocates CPU, GPU, and memory resources, ensuring smooth execution of AI algorithms while minimizing latency.
  • ML Model Management: AI OS platforms typically come with built-in tools for managing machine learning models, from deployment to monitoring and updates.
  • Scalability: Scalability is crucial, and AI OS can adapt to handle vast amounts of data as AI-driven applications evolve.
  • Interoperability: AI OS often comes with support for multiple AI frameworks such as TensorFlow, PyTorch, and ONNX, allowing developers the flexibility to choose their preferred tools.

AI OS solutions, like Microsoft Azure AI, Google’s Vertex AI, and NVIDIA’s AI Enterprise, are leading the way by providing platforms that cater to both developers and businesses aiming to streamline their AI projects.

Machine Learning: A Core Pillar of AI OS

Machine Learning forms the backbone of any AI OS. ML algorithms help automate processes, derive insights, and make decisions without human intervention. In an AI OS, machine learning can be leveraged in several ways:

  • Data Processing and Analysis: ML models process and analyze large datasets in real-time, providing the necessary insights for making informed decisions.
  • Model Training and Optimization: AI OS automates model training, optimizing hyperparameters, and ensuring efficient use of resources.
  • Personalization: AI OS platforms use ML to personalize user interactions based on preferences and behaviors, creating a better user experience.

The Importance of Responsible AI

While AI has the potential to transform industries, it also comes with challenges that must be addressed to ensure its responsible use. Responsible AI is a framework for ensuring that AI technologies are developed and used in ways that are fair, ethical, and safe.

Key principles of responsible AI include:

  • Fairness: AI systems should be free from bias and discrimination. It’s essential to ensure that the data used to train AI models is representative and does not introduce biases that could result in unfair outcomes.
  • Transparency: AI models should be transparent and explainable. Users should have the ability to understand how an AI system makes its decisions, especially in high-stakes scenarios like finance, healthcare, or law.
  • Accountability: Organizations should be accountable for the outcomes of their AI models. Clear lines of responsibility must be drawn to ensure any errors or harms can be addressed appropriately.
  • Privacy: AI OS should handle data in a way that respects user privacy, complying with regulations such as GDPR. Data anonymization and secure storage are critical elements of responsible AI.

Security in AI OS and ML

With the rise of AI-driven technologies, securing AI systems has become increasingly important. AI OS and ML models can be vulnerable to several types of attacks, including:

  • Data Poisoning: Data poisoning occurs when attackers introduce malicious data into the training set, leading the model to produce incorrect predictions. Ensuring the integrity of training datasets is critical to prevent such attacks.
  • Model Inversion Attacks: In model inversion attacks, adversaries can reconstruct sensitive information from a model’s predictions. To mitigate this, AI OS platforms should employ techniques like differential privacy to safeguard user data.
  • Adversarial Attacks: These are attempts to manipulate input data in a way that misleads the model into making incorrect decisions. Using robust ML techniques and adversarial training can help make models more resilient.
  • Access Control and Authentication: AI OS must ensure that access to sensitive data and models is restricted to authorized personnel only. Strong authentication and role-based access control (RBAC) mechanisms are key to ensuring security.

A secure AI environment also involves continuous monitoring, regular security audits, and updating ML models as new vulnerabilities are discovered.

The Future of AI OS: Balancing Innovation, Responsibility, and Security

AI Operating Systems are opening new doors for innovation, making AI more accessible and efficient. The future of AI OS will likely involve deeper integrations between machine learning models and AI-driven applications, helping businesses optimize their workflows and make data-driven decisions faster.

However, as AI technology becomes more pervasive, the need for responsible AI and stringent security protocols will continue to grow. Developers, organizations, and governments must work together to establish frameworks, guidelines, and best practices that ensure AI benefits everyone while minimizing its risks.

AI OS and machine learning represent the cutting edge of technology. By emphasizing responsible AI and security, we can ensure that these advancements contribute positively to society and are adopted in ways that are ethical, safe, and beneficial to all.