Glossary of Terms

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Back to Knowledge Hub

AGILE

Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...

Learn More

APACHE STRUTS

Apache Struts is a free, open-source framework for creating elegant, enterprise-ready Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and...

Learn More

API Security

With organizations pushing forward various digital transformation initiatives, the number of application programming interfaces (APIs) is on the rise, meaning that API security, sometimes referred to...

Learn More

Application Security Testing (AST)

Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...

Learn More

Application Vulnerability

Application vulnerabilities are flaws or weaknesses in an application that can lead to exploitation or a security breach. With the enormous global reach of the Internet, web applications are...

Learn More

BINARY CODE ANALYSIS

Binary code analysis, also referred to as binary analysis or code review, is a form of static analysis the does threat assessment and vulnerability testing at the binary code level. This analysis...

Learn More

Broken Access Control

Broken access control is #5 on the latest (2017) OWASP Top 10 list. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function...

Learn More

Broken Authentication

Broken authentication is #2 on the latest (2017) OWASP Top 10 list. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken...

Learn More

BRUTE FORCE ATTACK

With a brute force attack, the attacker attempts to crack a password or username using an “exhaustive search” or trial and error approach. In cryptography, a brute force attack consists of the...

Learn More

Buffer Overflow

Buffers provide a temporary area for programs to store data. A buffer overflow, also known as a buffer overrun, is when a program overruns a buffer's boundary and overwrites adjacent memory locations...

Learn More

CODE INJECTION

Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. Code...

Learn More

Command Injection

With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system. Command injection is made possible when an...

Learn More

Computer Worm

Computer worms have been around for more than three decades and show no sign of extinction. Throughout their existence, they have been responsible for billions of dollars in damage. Their fast,...

Learn More

Cross-Site Scripting

Cross-site scripting (XSS) describes a web security vulnerability that allows attackers to compromise user interactions by inserting malicious scripts designed to hijack vulnerable applications. An...

Learn More

DevOps Security

DevOps security refers to the practice of safeguarding an organization’s entire development/operations environment through the use of coordinated policies, processes, and technology. DevOps gives...

Learn More

DevSecOps

As organizations rush to embrace various digital transformation initiatives, DevOps (development and operations) becomes an increasingly critical focus. According to a report from OpsRamp, nearly...

Learn More

Dynamic Application Security Testing

Dynamic application security testing (DAST) is a black-box test, working from the outside in, designed to detect security vulnerabilities in an application’s running state. DAST is good at finding...

Learn More

Expression Language Injection

Expression Language Injection (aka EL Injection) enables an attacker to view server-side data and other configuration details and variables, including sensitive code and data (passwords, database...

Learn More

FALSE NEGATIVE

Designing test cases that accurately identify defects in software can be challenging. As scanners run and tests are conducted, false negatives happen when problems aren’t picked up even though there...

Learn More

FALSE POSITIVE

False positives occur when a scanning tool, web application firewall (WAF), or intrusion prevention system (IPS) incorrectly flag a security vulnerability during software testing. False positives...

Learn More

FIREWALL

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Either hardware, software, or a combination of both,...

Learn More

FUZZ TESTING

In the world of cybersecurity, fuzz testing (or fuzzing) is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected inputs and...

Learn More

Injection

Injection is #1 on the latest (2017) OWASP Top 10 list. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to...

Learn More

INSECURE DESERIALIZATION

Deserialization Is a Core Component of Web Applications

At the heart of the essentially limitless realm of information technology is data storage and transfer. Inextricably interlaced with this is a...

Learn More

INSTRUMENTATION

Security instrumentation (aka deep security instrumentation) embeds sensors within applications so they can protect themselves from the most sophisticated attacks in real time. Security...

Learn More

INSUFFICIENT LOGGING AND MONITORING

Insufficient logging and monitoring is #10 on 2017 OWASP Top Ten list of most critical web application security risks, which states that “exploitation of insufficient logging and monitoring is the...

Learn More

Interactive Application Security Testing

Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...

Learn More

Malicious Code

Malicious code is code inserted in a software system or web script intended to cause undesired effects, security breaches, or damage to a system. Taking advantage of common system vulnerabilities,...

Learn More

Malicious Cyber Intrusion

As developers strive to meet the demands of the modern software development life cycle (SDLC), they are often confronted with the need to compromise security for faster release cycles. Without proper...

Learn More

Man-in-the-Middle Attack

In a man-in-the-middle (MITM) attack, the attacker eavesdrops on the communications between two targets, and then secretly relays and possibly alters the messages between the two parties who believe...

Learn More

Method Tampering

Method tampering (aka verb tampering and HTTP method tampering) is an attack against authentication or authorization systems that have implicit "allow all" settings in their security configuration....

Learn More

OGNL Injection (OGNL)

Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used...

Learn More

Open Source Security

The term "open source" refers to software in the public domain that people can freely use, modify, and share. The adoption of third-party open source software (OSS) has increased significantly over...

Learn More

OWASP Top 10

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of software. The OWASP Top 10 is a listing of the ten most common...

Learn More

Path Traversal/Directory Traversal

Path traversal (also known as directory traversal) is an attack that uses an affected application to gain unauthorized access to server file system folders that are higher in the hierarchy than the...

Learn More

PCI Application

The Payment Card Industry Data Security Standard (PCI DSS) is a set of widely followed security requirements agreed upon by members of the PCI Security Standards Council. PCI compliance includes...

Learn More

PCI Compliance

Payment card industry (PCI) compliance, also referred to as Payment Card Industry Data Security Standard (PCI DSS) compliance, refers to the technical and operational standards businesses must follow...

Learn More

Penetration Testing

Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white...

Learn More

RASP Security

Coined by Gartner in 2012, Runtime Application Self-Protection RASP is an emerging security technology that lets organizations stop hackers’ attempts to compromise enterprise applications and data....

Learn More

Regular Expression DoS (ReDoS)

Regular expressions can reside in every layer of the web. The Regular expression Denial of Service (ReDoS) produces one or more regular expressions or regex(s) that “run on and on” by design. Using...

Learn More

SCRUM

As a set of values and principles that describes a group's day-to-day interactions and activities, Agile provides the framework for an iterative and incremental software development approach. Scrum...

Learn More

SDLC

The Software Development Life Cycle (SDLC) is a framework that defines tasks performed at each step in the software development process. SDLC standards provide a structure that can be followed by...

Learn More

Security Misconfigurations

Security misconfigurations is #6 on the latest (2017) OWASP Top 10 list. This vulnerability can occur at any level of an application stack, including network services, platform, web server,...

Learn More

Sensitive Data Exposure

Any industry that collects, stores, or processes sensitive data is at risk for a data breach. In 2020, the average cost of a data breach is estimated to cost $3.86 million to contain, as a result of...

Learn More

Session Fixation Attack

Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID...

Learn More

Session Hijacking

The importance of security is on the rise as digital innovation explodes. And as organizations launch more applications and evolve existing ones, the application attack surface grows. This provides...

Learn More

Software Composition Analysis

Today’s software applications rely heavily on open-source components. Software Composition Analysis (SCA) is the process of automating visibility into the use of open source software (OSS) for the...

Learn More

Spoofing Attack

In a spoofing attack, a malicious party or program impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access...

Learn More

SQL Injection

What Is SQL Injection?

An SQL injection attack consists of an insertion or injection of a SQL query via the input data from the client to the application. SQL commands are injected into data-plane...

Learn More

Static Application Security Testing

Static application security testing (SAST) involves analyzing an application’s source code very early in the software development life cycle (SDLC). The SAST analysis specifically looks for coding...

Learn More

Untrusted or Insecure Deserialization

Serialization refers to the process of converting an object into a format which can be saved to a file or a datastore, sent through streams, or sent over a network. The format in which an object is...

Learn More

Vulnerability Scanning

Vulnerabilities continue to grow as organizations turn to digital transformation and roll out new applications and enhance existing ones. Identifying and then triaging, diagnosing, and remediating...

Learn More

Web Application Firewall

A web application firewall (WAF) is a network defense that filters, monitors, and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between...

Learn More

Zip File Overwrite

Zip file overwrite (also known as Zip Slip) exploits a vulnerability that is found in several widely used programming languages. It is especially prevalent in Java where there is no central library...

Learn More