Application programs tested with test data chosen for maximum, minimum, and trivial values, or parameters. The purpose is to analyze system behavior under increasingly heavy workloads and severe operating conditions, and, in particular, to identify points of system failure.

Stretching (password)

The act of hashing each password and its salt thousands of times, which makes the creation of rainbow tables more time-consuming.

Striped core

A communications network architecture in which user data traversing a core IP network is decrypted, filtered, and re-encrypted one or more times in a red gateway. The core is striped because the data path is alternately black, red, and black.

Strongly bound credentials

Strongly bound credential mechanisms (e.g., a signed public key certificate) require little or no additional integrity protection.

Structure charts

A tool used to portray the logic of an application system on a hierarchical basis, showing the division of the system into modules and the interfaces among modules. Like data flow diagrams (DFDs), structure charts can be drawn at different levels of detail from the system level to a paragraph level within a program. Unlike DFDs, structure charts indicate decision points and explain how the data will be handled in the proposed system. A structure charts is derived directly from the DFD with separate branches for input, transformation, and output.

Subclass

A class that inherits from one or more classes.

Subject

Technically, subject is a process-domain pair. An active entity (e.g., a person, a process or device acting on behalf of user, or in some cases the actual user) that can make a request to perform an operation on an object (e.g., information to flow among objects or changes a system state). It is the person whose identity is bound in a particular credential.

Subject security level

A subject’s security level is equal to the security level of the objects to which it has both read and write access. A subject’s security level must always be dominated by the clearance of the user with which the subject is associated.

Subscriber

(1) An entity that has applied for and received a certificate from a certificate authority. (2) A party who receives a credential or token from a credential service provider (CSP) and becomes a claimant in an authentication protocol.

Subscriber identity module (SIM)

A smart card chip specialized for use in global system for mobile communications (GSM) equipment.

Subscriber station (WMAN/WiMAX)

A subscriber station (SS) is a fixed wireless node and is available in outdoor and indoor models and communicates only with BSs, except during mesh network operations.

Substitution table box

Nonlinear substitution table boxes (S-boxes) used in several byte substitution transformations and in the key expansion routine to perform a one-for-one substitution of a byte value. This substitution, which is implemented with simple electrical circuits, is done so fast in that it does not require any computation, just signal propagation. The S-box design, which is implemented in hardware for cryptographic algorithm, follows Kerckhoff’s principle (security-by-obscurity) in that an attacker knows that the general method is substituting the bits, but he does not know which bit goes where. Hence, there is no need to hide the substitution method. S-boxes and P-boxes are combined to form a product cipher, where wiring of the P-box is placed inside the S-box (i.e., S-box is first and P-box is next). S-boxes are used in the advanced encryption standard (AES).

Subsystem

A major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions.

Superuser

A user who is authorized to modify and control IT processes, devices, networks, and file systems.

Supervisor state

One of two generally possible states in which a computer system may operate and in which only certain privileged instructions may be executed. The other state in which a computer system may operate is problem-state in which privileged instructions may not be executed. The distinction between the supervisor state and the problem state is critical to the integrity of the system.

Supplementary controls

The process of adding security controls or control enhancements to a baseline security control in order to adequately meet the organization’s risk management needs. These are considered additional controls; after comparing the tailored baseline controls with security requirements definition or gap analysis, these controls are added to make up for the missing or insufficient controls.

Supply chain

A system of organizations, people, activities, information, and resources involved in moving a product or service from supplier/producer to consumer/customer. It uses a defense-in-breadth strategy.

Supply chain attack

An attack that allows an adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data or manipulate IT hardware, software, operating systems, IT peripherals or services at any point during the life cycle of a product or service.

Support software

All software that indirectly supports the operation of a computer system and its functional applications such as macroinstructions, call routines, and read and write routines.

Supporting controls

Generic controls that underlie most IT security capabilities. These controls must be in place in order to implement other controls, such as prevent, detect, and recover. Examples include identification, cryptographic key management, security administration, an system protection.

Susceptibility analysis

Examination of all susceptibility information to identify the full range of mitigation desired or possible that can diminish the impacts from exposure of vulnerabilities or access by threats.

Suspended state

The cryptographic key life cycle state used to temporarily remove a previously active key from that status but making provisions for later returning the key to active status, if appropriate.

Symbolic links

A symbolic link or symlink is a file that points to another file. Often, there are programs that will change the permissions granted to a file. If these programs run with privileged permissions, a user could strategically create symlinks to trick these programs into modifying or listing critical system files.

Symmetric key algorithm

A cryptographic algorithm that uses the same secret key for an operation and its complement (e.g., encryption and decryption, or create a message authentication code and to verify the code).

Symmetric key cryptography

(1) A cryptographic key that is used to perform both the cryptographic operation and its inverse (e.g., to encrypt and decrypt a message or create a message authentication code and to verify the code). (2) A single cryptographic key that is used with a secret (symmetric) key algorithm.

Synchronization (SYN) flood attack

(1) A stealth attack because the attacker spoofs the source address of the SYN packet, thus making it difficult to identify the perpetrator. (2) A method of overwhelming a host computer on the Internet by sending the host a high volume of SYN packets requesting a connection but never responding to the acknowledgement packets returned by the host. In some cases, the damage can be very serious. (3) A method of disabling a system by sending more SYN packets than its networking code can handle.