Glossary

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
R
S
T
U
V
W
X
Y
Z
A
Application Protection

An application security measure that focuses on enabling applications to detect and prevent attacks during production. See Application Security.

Autonomous Application Protection

A Prevoty runtime application self-protection (RASP) solution that enables applications to detect and prevent attacks in production. Prevoty Autonomous Application Protection is a completely autonomous -- meaning self contained -- plugin that attaches to the application container. Its autonomy ensures that it does not need to rely on any network calls or any other dependencies to perform its function, keeping security data out of external reach, while simplifying deployments and providing the ability to fully function in air gapped environments. See related content: Prevoty Autonomous Application Protection

Application Security (AppSec)

Software, hardware, and procedural measures taken to improve the security of applications. While application security has traditionally focused on finding, fixing, and preventing application vulnerabilities, recent market shifts have opened sub-domains such as application protection. See related content: The Impact of Security on Application Development

Application Security Testing (AST)

A form of software testing that focuses on finding and fixing vulnerabilities. AST tools include, but are not limited to, static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST)

Attack-Based Security Vulnerability Mitigation

A process by which decisions and priorities in vulnerability management programs are determined based on real attack telemetry data coming from autonomous application protection tools running in production.

Attack Surface

The sum of the various entry points an unauthorized user can leverage to breach a system. See Attack Vector.

Attack Vector

A single point of entry an unauthorized user can leverage to breach a system. See Attack Surface.

B
Bill of Materials (BOM)

A list of the components within a piece of software. Today’s applications are developed by assembled open source, third-party, and first-party components. Also called software bill of materials.

Black Hat Hacker

A malicious hacker. Black hats may be affiliated with political, ideological or economic causes. They often work in group or units in the case of nation state actors. The objectives of black hats include sensitive data exfiltration, physical and virtual damage, monetary profits, etc.

Blacklisting

An access control mechanism whereby an application is provided an explicit list of unacceptable request elements. All requests are granted access except for those explicitly outlined in the blacklist.

C
Cascading Style Sheets (CSS)

A style sheet language used to describe how content written in markup language like HTML should be presented. Separating content from presentation creates easier accessibility, improves flexibility, and streamlines development.

Cascading Style Sheets (CSS) Injection

A style sheet language used to describe how content written in markup language like HTML should be presented. Separating content from presentation creates easier accessibility, improves flexibility, and streamlines development.

Clickjacking

The malicious act of concealing hyperlinks beneath legitimate clickable content, such as an opaque iframe, that sits on top of the web page, manipulating users into performing an action they are not aware of.

Cloud Computing

Leveraging a network of remote servers hosted on the Internet to store, manage, and process data. Hosting applications in the cloud is beneficial than hosting on a local server or a personal computer because it offers greater scalability and faster performance.

Cloud Security

A set of policies, technologies, and controls for protecting data, applications, and its associated infrastructure. A sub-domain of computer security, network security, and information security.

Command Injection

When a hacker inputs arbitrary commands into a vulnerability application in hopes that it will execute on the host operating system.

Compiler

A computer software the transforms code written in a programming language and transforms them into machine language so a computer processor can consume them.

Component

A reusable program or code. Various components are typically combined together to form an application. Components can be first-party (written in-house), third-party (written by an outsourced vendor), or open source (free and widely available for the developer community to use).

Containerization

The practice of bundling an application’s entire runtime environment into one package. A container consists of the application and its dependencies, such as libraries, configuration files, and more. Containerization guarantees predictable, consistent application performance no matter where they’re deployed because containers contain the dependencies needed by the application.

Continuous Deployment

A software development practice in which applications are released in short, iterative cycles. Continuous deployment is an extension of continuous integration. See Continuous Integration.

Continuous Integration

The practice of merging all developer code into a shared repository several times a day, so they can be reviewed for integration, code quality, security, and more. This practice enables organizations to catch issues early and regularly, reducing the need to back track and pinpoint the problematic code. Continuous integration is an extension of continuous deployment. See Continuous Deployment.

Cross-Site Request Forgery (CSRF)

An attack technique that forces or tricks an authenticated end user to execute the hacker’s desired actions within an application. Examples include clicking a malicious link, changing their password, and more. See OWASP.

Cross-Site Scripting (XSS)

An attack technique in which an application’s input is used to inject scripts that aim to make malicious content available to other end users. See OWASP.

Cybersecurity

Measures implemented to protect against criminal and unauthorized use of internet-connected systems against cyberattacks.

D
Database Access Violation

When policy is violated because a database has been access in an unauthorized fashion.

Data Breach

A security incident whereby sensitive information is accessed and disclosed by an unauthorized user in an unauthorized fashion. Also known as a data leak.

Data Security

Protective security measures taken to prevent not only unauthorized access to systems and applications, but also data corruption.

Data Leak

The unauthorized, public transfer of confidential information from a system, application, or database. Also known as a data breach.

DevOps

DevOps is the collective measure of quickening development delivery by improving collaboration between development and operations teams. DevOps utilizes automated technologies to create shorter development cycles and increase deployment frequency. Stems from the compound of “development” and “operations”.

DevSecOps

DevSecOps is the collective measure of quickening development delivery while maintaining application security by improving collaboration between development and operations teams. DevOps utilizes automated technologies to create shorter development cycles, increase deployment frequency, and improve release security. Stems from the compound of “development, “security”, and “operations”.

Denial of Service (DoS)

An attack technique whereby a system or application is overloaded request until it is forced to shut down, interrupting service for legitimate users.

Distributed Denial of Service (DDoS)

An attack technique whereby multiple systems simultaneously overload a system or application until it is forced to shut down, interrupting service for legitimate users.

Document Object Model (DOM) Cross-Site Scripting (XSS)

A XSS attack whereby the DOM environment in the victim’s browser is modified so it runs in an unexpected manner. See Cross-Site Scripting (XSS).

Dynamic Analysis

Testing an application while it is running without access to its source code. Also known as black box testing.

Dynamic Application Security Testing (DAST)

An application security testing technique that aims to find vulnerabilities while it’s running. The testing solution does not have access to its target’s source code.

E
Exception Handling

An application’s ability to properly process anomalous or exceptional conditions.

Exception Management

Organizational policies and procedures that govern security initiatives that must operate on an exception basis.

Exploit

(Noun) A combination of techniques, knowledge, and technology application to an weakness or vulnerability to breach into an application. (Verb) The execution of a vulnerability to cause a breach into an application.

F
Exploit

(Noun) A combination of techniques, knowledge, and technology application to an weakness or vulnerability to breach into an application. (Verb) The execution of a vulnerability to cause a breach into an application.

False Negative

When an exploit occurs, but the security solution in place neither detected the malicious activity nor alerted it.

False Positive

When an exploit did not occur, but the security solution in place detected and alerted the presence of malicious activity.

Firewall

A network security system that monitors and controls incoming and outgoing traffic for malicious activity. Decisions such as traffic block are based on predetermined security rules.

Free Open Source Software (FOSS)

Software informally developed by a network of programmers. The code is provided for free with the encouragement of modifications and improvement by users and/or the community. See related content: Application Security in an Open Source World.

G
H
Hacker

Someone who exploits applications with malicious intent.

HTML Injection

The act of injecting arbitrary HTML code into a vulnerable web page. HTML Injection can lead to unauthorized access to user’s session cookies, modification of page content, and more.

HTTP Response Splitting

A vulnerability whereby a web application or its environment fails to properly sanitize input values, enables attacks such as cross-site scripting, cross-user defacement, web cache poisoning, and more.

HTTP Method Tampering

A vulnerability that exploits HTTP verb (also known as HTTP method) authentication and access control mechanisms.

I
Information Security (InfoSec)

Collective set of security technologies and processes for maintaining the confidentiality, integrity, and availability of data in its various forms. Confidentiality, integrity, and availability are also referred to as the CIA triad of information security.

Infrastructure as a Service (IaaS)

Service model that delivers computer infrastructure, such as hardware, storage, services, data center space, or network components, to support enterprise online services.

Insecure Transport

When an application configuration fails to enforce that SSL is used for all access controlled pages. Applications use SSL to guarantee confidential communication with client browsers.

Interactive Application Security Testing (IAST)

An emerging technology that automatically and dynamically uncovered code vulnerabilities during development.

J
Java

A programming language that is commonly used for developing and delivering content on the web applications.

JSON Injection

When a script containing arbitrary elements or attributes is injected into a web application. The application recognizes the input as a JSON data structure, processes it, and written to a JSON stream.

Just-In-Time Compiler

A compiler that converts source code into machine code on a needed basis. A JIT compiler predicts which instructions will be executed next so it is able to compile the code just before it’s run. Compiled code resides in memory until the application is closed.

K
L
Legacy Applications

An application that is outdated or obsolete. Legacy applications are often difficult and costly to maintain or update.

Language-theoretic Security (LangSec)

The formal process of understanding how data such as content payloads, database queries, operating system commands and more will execute in an environment. See related content: Prevoty Resources - LangSec

Logging

Refers to an application mechanism whereby data is collected for later consumption, correlation, analysis, and management. Application logs are invaluable data for compliance, audits, security events, and more. Sensitive information such as authentication passwords, personally identifiable information (PII), encryption keys and others, should never be logged unless it is legally sanctioned.

M
Malicious Code

Code or scripts that cause undesired effects, such as security breaches or damage, to an application

Mitigation

Measures taken the reduce the severity or impact of a vulnerability or incident. Contrast with remediation.

N
Network Security

Policies and practices for preventing and monitoring unauthorized access, misuse, modification or denial.

O
Open Web Application Security Project (OWASP)

A not-for-profit organization that aims to help organization develop, purchase, and maintain secure web applications.

OWASP Top Ten

A list of the ten most dangerous web application security flaws and methods for dealing with those flaws. The OWASP Top Ten list is released by the Open Web Application Security Project.

P
Parser

A software component that builds a data structure from input data. The parser checks the input date for correct syntax.

Path Traversal

A web application exploitation technique whereby a hacker gains unauthorized access to restricted files and directories and executes commands outside of the web server’s root directory.

Pattern Matching

Checking tokens or raw data for sequences of a specific pattern. See related content: Signatures Are Dead, Now What?

Payment Card Industry Council (PCI)

A body of major financial services organizations that aim to manage the evolution of the payment card industry data security standard (PCI-DSS).

Payment Card Industry Data Security Standard (PCI-DSS)

A body of information security standards for organizations handling branded credit cards. The standard is mandated by the card brands and administered by the Payment Card Industry Council (PCI).

Personal Identifiable Information

Information that can be used on its own or in combination with other information to identify a specific individual.

Policy-Based Security

Organization policies or security mechanisms that defines the security or insecurity of an application, system, or request.

R
Regular Expression (RegEx)

A pattern matching method whereby input data is checked for specified patterns defined by a pattern database. Other algorithms may take a reverse approach where strings of text are inputted by a user, which informs the application on the pattern to search for.

Remediation

The act of correcting a security issue, such as a vulnerability or an incident. See related content: The Future of Application Security Depends on Our Infrastructure

Risk

The probability that a security incident will occur. Risk is typically calculated by evaluating the combination of threat, vulnerability, and cost.

Risk Management

Identifying, assessing, and controlling threats from affecting organization’s earnings.

Rule-Based Security

Human-crafted or curated rule sets encoded into a system to detect potentially malicious activity.

Runtime

Refers to the time during which an application is running.

Runtime Application Self-Protection (RASP)

An emerging technology that detects and prevents attacks by taking advantage of the fact that it is run from inside the application. The RASP technology differs from perimeter-based protections such as firewalls, which are placed outside of the application. See related content: A Guide to RASP, Prevoty Resources: RASP

S
SANS Top 25

A list of the 25 most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find and exploit, and allow attacks to completely take over the application, steal data, or prevent the application from working complete. The list is maintained by SANS and MITRE.

Security Operations Center (SOC)

A centralized unit that monitors, assesses, and defend security issues on an organizations and technical level. They typically leverage several data processing technology to effectively manage security incidents and events.

Serverless Deployment

Application deployment model whereby the cloud provider manages the allocation of machine resources.

Software as a Service (SaaS)

A distribution model whereby a third-party provider hosts the application over the internet to make it available to customers.

Software Development Life Cycle (SDLC)

A framework for defining tasks performed at each step of the software development process. The SDLC consists of the following phases: planning, implementation, testing, documentation, deployment, and maintenance.

Secure Software Development Life Cycle (SSDLC)

A SSDLC is an application development framework that ensures security assurance activities are integrated into development efforts.

Secure Development Lifecycle (SDL)

A SDL is an application development framework development by Microsoft that ensures security assurance and compliance activities are integrated into development efforts.

SQL Injection (SQLi)

An injection attack whereby an attacker inserts malicious SQL queries into a entry field with the hope of tampering or stealing data from the application’s database.

Static Application Security Testing (SAST)

A type of security testing the inspects the source code of an application to uncover security flaws.

Structured Query Language (SQL)

A standardized query language for requesting information from a database.

T
Threat

Anything that has the potential to cause serious harm to an application, system, network, or more.

Third-Party Components

A reusable software component developed for free distribution or is sold to companies other than the one developing it.

Third-Party Application

An application developed by companies other than the one using it.

U
Uncaught Exception

When an exception is thrown, but it not caught because an application handler has not been specified. In cases where an uncaught exception handler is specified, the routine commonly terminates the program and prints an error message to the console.

Unvalidated Redirects

When a web applications accepted an untrusted input that causes the application to redirect the request to the specified URL within the untrusted input. Redirecting users to a malicious site enables phishing scams and stealing user credentials.

V
Virtual Private Network (VPN)

A technology that establishes a safe and encrypted connection over a less secure network.

Vulnerability

A weakness that can be exploited by a hacker to perform unauthorized activities.

Vulnerability Assessment

The process of defining, identifying, and classifying security weaknesses in application, systems, procedures, and more.

Vulnerability-Based Security Testing

An application security approach that focuses on detecting and remediating vulnerabilities before it is deployed into production. See related content: The Real Root Cause of Breaches

Vulnerable Dependencies

When an application relies on a vulnerable software component, such as code, libraries, and more, to function.

W
Weak Authentication

When an authentication vulnerability, bug, or weakness permits unauthorized access to applications, systems, and data.

Weak Browser Caching

Browsers can store data for caching. Caching ensures that previously displayed information doesn’t need to be downloaded again, improving performance. Weak browser caching refers to a malicious user’s ability to gain access to previously inputted sensitive information whilst unauthenticated.

Web Application (Web App)

Browsers can store data for caching. Caching ensures that previously displayed information doesn’t need to be downloaded again, improving performance. Weak browser caching refers to a malicious user’s ability to gain access to previously inputted sensitive information whilst unauthenticated.

Web Application Firewall (WAF)

A perimeter defense technology that protects web application servers and infrastructure from attacks and breaches originating from the internet and external networks. See related content: The Evolution of AppSec: From WAFs to Autonomous Application Protection

Web Caching

When an application stores previous responses from a web service to reduce web server bandwidth and processing and improve responsiveness for users.

Web Container

In the context of Java, a container is a part of the server that is responsible for maintaining the individual components on the server side.

Web Framework

A software framework that provides a standard way to build and deploy web applications. The purpose of a web framework is to automate the overhead associated with common web development activities. Also known as web application framework.

White Hat Hacker

A security research who hacks applications and systems with the intend to improve the security posture of the target.

Whitelisting

A list of items that are granted access to an application, system or protocol. All entities are denied access, except for those included in the whitelist.

Whitelisting

A list of items that are granted access to an application, system or protocol. All entities are denied access, except for those included in the whitelist.

X
XML

Also known as extensible markup language. A markup language much like HTML. A file format used to create common information formats. XML files are used to share the format and data on the internet.

XML Injection

An attack technique that injects XML tags into the simple object access protocol (SOAP), a messaging protocol specification for exchanged structure information in web services, to modify the XML structure. See XML.

Y
Z