glossary of terms

AGILE

Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...

APACHE STRUTS

Apache Struts is a free, open-source framework for creating elegant, enterprise-ready Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and...

API Security

An API is a set of definitions, routines, protocols, and tools for building and integrating software applications. APIs are software intermediaries that let applications communicate...

APPLICATION SECURITY TESTING (AST)

Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...

APPLICATION VULNERABILITY

Application vulnerabilities are flaws or weaknesses in an application that can lead to exploitation or a security breach. With the enormous global reach of the Internet, web applications are...

BINARY CODE ANALYSIS

Binary code analysis, also referred to as binary analysis or code review, is a form of static analysis the does threat assessment and vulnerability testing at the binary code level. This analysis...

BROKEN ACCESS CONTROL

Broken access control is #5 on the latest (2017) OWASP Top 10 list. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function...

BROKEN AUTHENTICATION

Broken authentication is #2 on the latest (2017) OWASP Top 10 list. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken...

BRUTE FORCE ATTACK

With a brute force attack, the attacker attempts to crack a password or username using an “exhaustive search” or trial and error approach. In cryptography, a brute force attack consists of the...

BUFFER OVERFLOW

Buffers provide a temporary area for programs to store data. A buffer overflow, also known as a buffer overrun, is when a program overruns a buffer's boundary and overwrites adjacent memory locations...

CODE INJECTION

Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. Code...

COMMAND INJECTION

With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system. Command injection is made possible when an...

COMPUTER WORM

Computer worms have been around for more than three decades and show no sign of extinction. Throughout their existence, they have been responsible for billions of dollars in damage...

CROSS-SITE SCRIPTING

Cross-site scripting (XSS) describes a web security vulnerability that allows attackers to compromise user interactions by inserting malicious scripts designed to hijack vulnerable applications. An...

DEVOPS SECURITY

DevOps security refers to the practice of safeguarding an organization’s entire development/operations environment through the use of coordinated policies, processes, and technology. DevOps gives...

DEVSECOPS

DevSecOps is the practice of integrating security with development and operations (DevOps), in order to combine security with agility throughout all stages of the application development lifecycle....

DYNAMIC APPLICATION SECURITY TESTING

Dynamic application security testing (DAST) is a black-box test, working from the outside in, designed to detect security vulnerabilities in an application’s running state. DAST is good at finding...

EXPRESSION LANGUAGE INJECTION

Expression Language Injection (aka EL Injection) enables an attacker to view server-side data and other configuration details and variables, including sensitive code and data (passwords, database...

FALSE NEGATIVE

Designing test cases that accurately identify defects in software can be challenging. As scanners run and tests are conducted, false negatives happen when problems aren’t picked up even though there...

FALSE POSITIVE

False positives occur when a scanning tool, web application firewall (WAF), or intrusion prevention system (IPS) incorrectly flag a security vulnerability during software testing. False positives...

FIREWALL

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Either hardware, software, or a combination of both,...

FUZZ TESTING

In the world of cybersecurity, fuzz testing (or fuzzing) is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected inputs and...

INJECTION

Injection is #1 on the latest (2017) OWASP Top 10 list. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to...

INSECURE DESERIALIZATION

Serialization is the process of converting an object into a format or sequence of bytes that can be persisted on disk or transmitted through streams. The reverse process is called deserialization –...

INSTRUMENTATION

Security instrumentation (aka deep security instrumentation) embeds sensors within applications so they can protect themselves from the most sophisticated attacks in real time. Security...

INSUFFICIENT LOGGING AND MONITORING

Insufficient logging and monitoring is #10 on 2017 OWASP Top Ten list of most critical web application security risks, which states that “exploitation of insufficient logging and monitoring is the...

INTERACTIVE APPLICATION SECURITY TESTING

Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...

MALICIOUS CODE

Malicious code is code inserted in a software system or web script intended to cause undesired effects, security breaches, or damage to a system. Taking advantage of common system vulnerabilities,...

MALICIOUS CYBER INTRUSION

As developers strive to meet the demands of the modern software development life cycle (SDLC), they are often confronted with the need to compromise security for faster release...

MAN-IN-THE-MIDDLE ATTACK

In a man-in-the-middle attack, the attacker eavesdrops on the communications between two targets, then secretly relays and possibly alters the messages between parties who believe they are directly...

METHOD TAMPERING

Method tampering (aka verb tampering and HTTP method tampering) is an attack against authentication or authorization systems that have implicit "allow all" settings in their security configuration....

OGNL INJECTION (OGNL)

Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used...

OPEN SOURCE SECURITY

The term "open source" refers to software in the public domain that people can freely use, modify, and share. The adoption of third-party open source software (OSS) has increased significantly over...

OWASP TOP 10

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of software. The OWASP Top 10 is a listing of the ten most common...

PATH TRAVERSAL/DIRECTORY TRAVERSAL

Path traversal (also known as directory traversal) is an attack that uses an affected application to gain unauthorized access to server file system folders that are higher in the hierarchy than the...

PCI APPLICATION

The Payment Card Industry Data Security Standard (PCI DSS) is a set of widely followed security requirements agreed upon by members of the PCI Security Standards Council. PCI compliance includes...

PCI COMPLIANCE

Payment card industry (PCI) compliance, also referred to as Payment Card Industry Data Security Standard (PCI DSS) compliance, refers to the technical and operational standards businesses must follow...

PENETRATION TESTING

Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white...

RASP SECURITY

Coined by Gartner in 2012, Runtime Application Self-Protection RASP is an emerging security technology that lets organizations stop hackers’ attempts to compromise enterprise applications and data....

REGULAR EXPRESSION DOS (REDOS)

Regular expressions can reside in every layer of the web. The Regular expression Denial of Service (ReDoS) produces one or more regular expressions or regex(s) that “run on and on” by design. Using...

SCRUM

As a set of values and principles that describes a group's day-to-day interactions and activities, Agile provides the framework for an iterative and incremental software development approach. Scrum...

SDLC

The Software Development Life Cycle (SDLC) is a framework that defines tasks performed at each step in the software development process. SDLC standards provide a structure that can be followed by...

SECURITY MISCONFIGURATIONS

Security misconfigurations is #6 on the latest (2017) OWASP Top 10 list. This vulnerability can occur at any level of an application stack, including network services, platform, web server,...

SENSITIVE DATA EXPOSURE

Sensitive data exposure is #3 on the latest (2017) OWASP Top 10 list. This vulnerability occurs when an application fails to adequately protect sensitive information, leaving it open to accidental...

SESSION FIXATION ATTACK

Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID...

SESSION HIJACKING

The importance of security is on the rise as digital innovation explodes. And as organizations launch more applications and evolve existing ones, the application attack surface grows. This...

SOFTWARE COMPOSITION ANALYSIS

Today’s software applications rely heavily on open-source components. Software Composition Analysis (SCA) is the process of automating visibility into the use of open source software (OSS) for the...

SPOOFING ATTACK

In a spoofing attack, a malicious party or program impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access...

SQL INJECTION

One of the most serious application security problems, SQL injection is a commonly employed attacker technique designed to exploit databases through a SQL query security flaw. It is a form of web...

STATIC APPLICATION SECURITY TESTING

Static application security testing (SAST) involves analyzing an application’s source code very early in the software development life cycle (SDLC). The SAST analysis specifically looks for coding...

UNTRUSTED OR INSECURE DESERIALIZATION

Serialization refers to the process of converting an object into a format which can be saved to a file or a datastore, sent through streams, or sent over a network. The format in which an object is...

VULNERABILITY SCANNING

Vulnerabilities continue to grow as organizations turn to digital transformation and roll out new applications and enhance existing ones. Identifying and then triaging, diagnosing, and...

AUGMENTING A WAF

Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...

WEB APPLICATION FIREWALL

A web application firewall (WAF) is a network defense that filters, monitors, and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between...

ZIP FILE OVERWRITE

Zip file overwrite (also known as Zip Slip) exploits a vulnerability that is found in several widely used programming languages. It is especially prevalent in Java where there is no central library...

Nothing Matches

free trial: insight appsec

Crawl to the deepest, darkest corners of even your most complex apps to test for risk and get the insight you need to remediate faster with a free 30-day trial of InsightAppSec.

CONTRAST 2020 APPLICATION SECURITY OBSERVABILITY REPORT

Read the latest Contrast Security research report 2020 Application Security Observability Report to uncover the latest web application vulnerabilities and risks.