Glossary of Terms

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Back to Knowledge Hub

AGILE

Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...

Learn More

APACHE STRUTS

Apache Struts is a free, open-source framework for creating elegant, enterprise-ready Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and...

Learn More

API

An application program interface (API) is a set of definitions, routines, protocols, and tools for building and integrating software applications. APIs are the software intermediary that allows...

Learn More

Application Security Testing (AST)

Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...

Learn More

Application Vulnerability

Application vulnerabilities are flaws or weaknesses in an application that can lead to exploitation or a security breach. With the enormous global reach of the Internet, web applications are...

Learn More

BINARY CODE ANALYSIS

Binary code analysis, also referred to as binary analysis or code review, is a form of static analysis the does threat assessment and vulnerability testing at the binary code level. This analysis...

Learn More

Broken Access Control

Broken access control is #5 on the latest (2017) OWASP Top 10 list. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function...

Learn More

Broken Authentication

Broken authentication is #2 on the latest (2017) OWASP Top 10 list. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken...

Learn More

BRUTE FORCE ATTACK

With a brute force attack, the attacker attempts to crack a password or username using an “exhaustive search” or trial and error approach. In cryptography, a brute force attack consists of the...

Learn More

Buffer Overflow

Buffers provide a temporary area for programs to store data. A buffer overflow, also known as a buffer overrun, is when a program overruns a buffer's boundary and overwrites adjacent memory locations...

Learn More

CODE INJECTION

Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. Code...

Learn More

Command Injection

With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system. Command injection is made possible when an...

Learn More

Cross-Site Scripting

Cross-site scripting (XSS) describes a web security vulnerability that allows attackers to compromise user interactions by inserting malicious scripts designed to hijack vulnerable applications. An...

Learn More

DevOps Security

DevOps security refers to the practice of safeguarding an organization’s entire development/operations environment through the use of coordinated policies, processes, and technology. DevOps gives...

Learn More

DevSecOps

DevSecOps is the practice of integrating security with development and operations (DevOps), in order to combine security with agility throughout all stages of the application development lifecycle....

Learn More

Dynamic Application Security Testing

Dynamic application security testing (DAST) is a black-box test, working from the outside in, designed to detect security vulnerabilities in an application’s running state. DAST is good at finding...

Learn More

Expression Language Injection

Expression Language Injection (aka EL Injection) enables an attacker to view server-side data and other configuration details and variables, including sensitive code and data (passwords, database...

Learn More

FALSE NEGATIVE

Designing test cases that accurately identify defects in software can be challenging. As scanners run and tests are conducted, false negatives happen when problems aren’t picked up even though there...

Learn More

FALSE POSITIVE

False positives occur when a scanning tool, web application firewall (WAF), or intrusion prevention system (IPS) incorrectly flag a security vulnerability during software testing. False positives...

Learn More

FIREWALL

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Either hardware, software, or a combination of both,...

Learn More

FUZZ TESTING

In the world of cybersecurity, fuzz testing (or fuzzing) is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected inputs and...

Learn More

Injection

Injection is #1 on the latest (2017) OWASP Top 10 list. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to...

Learn More

INSECURE DESERIALIZATION

Serialization is the process of converting an object into a format or sequence of bytes that can be persisted on disk or transmitted through streams. The reverse process is called deserialization –...

Learn More

INSTRUMENTATION

Security instrumentation (aka deep security instrumentation) embeds sensors within applications so they can protect themselves from the most sophisticated attacks in real time. Security...

Learn More

INSUFFICIENT LOGGING AND MONITORING

Insufficient logging and monitoring is #10 on 2017 OWASP Top Ten list of most critical web application security risks, which states that “exploitation of insufficient logging and monitoring is the...

Learn More

Interactive Application Security Testing

Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...

Learn More

Malicious Code

Malicious code is code inserted in a software system or web script intended to cause undesired effects, security breaches, or damage to a system. Taking advantage of common system vulnerabilities,...

Learn More

Man-in-the-Middle Attack

In a man-in-the-middle attack, the attacker eavesdrops on the communications between two targets, then secretly relays and possibly alters the messages between parties who believe they are directly...

Learn More

Method Tampering

Method tampering (aka verb tampering and HTTP method tampering) is an attack against authentication or authorization systems that have implicit "allow all" settings in their security configuration....

Learn More

OGNL Injection (OGNL)

Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used...

Learn More

Open Source Security

The term "open source" refers to software in the public domain that people can freely use, modify, and share. The adoption of third-party open source software (OSS) has increased significantly over...

Learn More

OWASP Top 10

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of software. The OWASP Top 10 is a listing of the ten most common...

Learn More

Path Traversal/Directory Traversal

Path traversal (also known as directory traversal) is an attack that uses an affected application to gain unauthorized access to server file system folders that are higher in the hierarchy than the...

Learn More

PCI Application

The Payment Card Industry Data Security Standard (PCI DSS) is a set of widely followed security requirements agreed upon by members of the PCI Security Standards Council. PCI compliance includes...

Learn More

PCI Compliance

Payment card industry (PCI) compliance, also referred to as Payment Card Industry Data Security Standard (PCI DSS) compliance, refers to the technical and operational standards businesses must follow...

Learn More

Penetration Testing

Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white...

Learn More

RASP Security

Coined by Gartner in 2012, Runtime Application Self-Protection RASP is an emerging security technology that lets organizations stop hackers’ attempts to compromise enterprise applications and data....

Learn More

Regular Expression DoS (ReDoS)

Regular expressions can reside in every layer of the web. The Regular expression Denial of Service (ReDoS) produces one or more regular expressions or regex(s) that “run on and on” by design. Using...

Learn More

SCRUM

As a set of values and principles that describes a group's day-to-day interactions and activities, Agile provides the framework for an iterative and incremental software development approach. Scrum...

Learn More

SDLC

The Software Development Life Cycle (SDLC) is a framework that defines tasks performed at each step in the software development process. SDLC standards provide a structure that can be followed by...

Learn More

Security Misconfigurations

Security misconfigurations is #6 on the latest (2017) OWASP Top 10 list. This vulnerability can occur at any level of an application stack, including network services, platform, web server,...

Learn More

Sensitive Data Exposure

Sensitive data exposure is #3 on the latest (2017) OWASP Top 10 list. This vulnerability occurs when an application fails to adequately protect sensitive information, leaving it open to accidental...

Learn More

Session Fixation Attack

Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID...

Learn More

Software Composition Analysis

Today’s software applications rely heavily on open-source components. Software Composition Analysis (SCA) is the process of automating visibility into the use of open source software (OSS) for the...

Learn More

Spoofing Attack

In a spoofing attack, a malicious party or program impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access...

Learn More

SQL Injection

One of the most serious application security problems, SQL injection is a commonly employed attacker technique designed to exploit databases through a SQL query security flaw. It is a form of web...

Learn More

Static Application Security Testing

Static application security testing (SAST) involves analyzing an application’s source code very early in the software development life cycle (SDLC). The SAST analysis specifically looks for coding...

Learn More

Untrusted or Insecure Deserialization

Serialization refers to the process of converting an object into a format which can be saved to a file or a datastore, sent through streams, or sent over a network. The format in which an object is...

Learn More

Web Application Firewall

A web application firewall (WAF) is a network defense that filters, monitors, and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between...

Learn More

Zip File Overwrite

Zip file overwrite (also known as Zip Slip) exploits a vulnerability that is found in several widely used programming languages. It is especially prevalent in Java where there is no central library...

Learn More