Jailbreaking — The process of removing the limitations imposed by Apple on devices running iOS by using a custom-built kernel or other attacks to obtain root access. Equivalent to “rooting” an Android device.
Java — A programming language that is concurrent, class-based, and object-oriented.
Key Management (Cryptography) — The process of managing cryptographic keys (e.g., for encryption or signatures), including generation, exchange, storage, use, revocation, and replacement of the keys.
Malicious Code — Code intended to cause undesirable effects in the software or system within which it runs, including effects such as denial of service, unauthenticated access, data exfiltration, participation in a botnet, etc. See Malware.
Malware — Short for “malicious software.” A general term for any program, script, or other software designed to disrupt system operations, gather sensitive information, gain unauthorized privileges, or perform any other unwanted action. See Malicious Code.
Managed Security Services — Outsourced security functions operated by a third party, usually used for the purpose of cutting costs.
Man-in-the-Middle (MitM) Attack — A form of active eavesdropping in which the attacker sits in the middle of an existing communication between victims, or makes independent connections with the victims, and relays and possibly alters messages between them. A successful MitM attack makes the victims believe they are talking directly to each other over a private connection when, in fact, the entire conversation is controlled by the attacker.
Manual Ethical Hack (MEH) — See Vulnerability Assessment and Penetration Testing.
Memory Leaks — A programming failure to release discarded memory which could lead to performance failure.
Mitigation — Reducing the severity or impact of an issue or vulnerability discovered in a security test, often through compensating controls such as log monitoring, application firewalls, and temporarily removing access or functionality. Contrast with Remediation.
Mobile Application Security Framework — A set of technologies that, when used correctly, offer additional security capabilities to mobile applications, such as advanced authentication and root access detection.
National Institute of Standards and Technology (NIST) — The federal technology agency that works with industries to develop and apply technology, measurements, and standards.
National Vulnerability Database (NVD) — A NIST database that maintains security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
Network Security — The process of preventing unauthorized activity across a computer infrastructure or network.
Node.js — An open-source, cross-platform runtime environment used for developing server-side Web applications.
Null Pointer Bugs — A programming term for dangling or wild pointers that do not point to a valid object, producing unpredictable behavior.
Open Source Software (OSS) — Generally, source code that is available for use, modification, and distribution by anyone for any purpose. The definition has evolved significantly over the past 20 years and continues to do so. See https://en.wikipedia.org/wiki/Open-source_software and https://en.wikipedia.org/wiki/Open-source_license for the current dogma.
OpenSSL — An open source implementation of the SSI and TLS protocols.
OWASP — Open Web Application Security Project.
OWASP Top Ten — An OWASP effort that presents a list of what working groups consider the most critical Web application security vulnerabilities.
Path Manipulation — A class of attacks related to the abuse of file system paths, typically misdirecting a query to obtain unauthorized access to data. Also called path traversal attacks or directory traversal attacks. Common examples include the “dot dot slash” attacks that permit attackers to backtrack through a Web server directory structure and obtain sensitive data.
Payment Card Industry Council (PCI) — An industry self-regulating organization formed by Visa, MasterCard, American Express, Discover, and JCB to improve the security of credit card practices.
Payment Card Industry Data Security Standard (PCI- DSS) — A set of security regulations for businesses that processes credit or debit cards.
Penetration Testing — Goal-oriented security testing that emphasizes an adversarial approach (i.e., simulating attacker methods) in pursuit of one or more specific objectives (e.g., capture the flag). Contrast with Vulnerability Assessment.
Personal Identification Number (PIN) — A numeric sequence used to assist in verifying a user’s identity. PINs are usually a “second factor” in authentication (something you know) used in conjunction with, for example, a credit card or smartphone (something you have).
Phishing — A strategy to deceptively get someone to perform an otherwise undesirable action (e.g., divulge sensitive information or transfer assets) by posing as a trusted party in an electronic communication.
Predictable Session Identifiers — A vulnerability in which Web applications produce guessable identifiers, facilitating various kinds of attacks.
Production Part Approval Process (PPAP) — An automotive supply chain process for establishing confidence in component suppliers and their production processes.
Procurement Language — A set of expectations set forth by the acquirer when obtaining third-party components or software.
Python — A general-purpose, interpreted, dynamic programming language that was in fact named after Monty Python.
Red Teaming — Goal-based, adversarial testing in which a person or group (the red team) evaluates the ability of an organization’s people, processes, and technologies to withstand a targeted attack that may use a variety of techniques across multiple organizational aspects (e.g., physical, personnel, network, operations, process, etc.)
Remediation — Fixing an issue or vulnerability identified in a security test. Contrast with Mitigation.
Requirement (Software)— A description of a need that must be met by software. Requirements are often categorized as functional (e.g., a requirement to use a certain type of authentication) or non-functional (e.g., expressing the emergent behavior of a system to address a negative situation or specific security function).
Reverse Engineering — The “bottom-up” analysis and discovery of technological principles and functionality of a device, object, or system through analysis of its structure, function, and operation.
Risk — (1) The probability that an undesirable event will actually occur. (2) A measure of the potential impact given an undesirable event occurring. Risk assessment is a combination of threat, vulnerability, and cost. If any of these are 0, then the risk is 0. Risk = Threat x Vulnerability x Cost
Risk-Based Security Testing — A type of software testing that prioritizes the security testing of features and functions based on the associated security risk.
Risk Management — The ongoing business process of identifying and prioritizing issues based on the risk they represent, followed by the concerted application of resources to reduce or monitor the risk.
Rooting — The act of removing protections put in place by Android devices, allowing rogue code to be downloaded and executed on a device. Compare with Jailbreaking .
RSA — An asymmetric encryption system (the encryption key and the decryption key are different) where security is based on the difficulty of factoring large prime numbers. Key generation creates a public key that can be freely distributed and used for encryption, and a private key that is retained as a secret and used for decryption.
Ruby — An object-oriented, general programing language influenced by Perl, Smalltalk, Eiffel, Ada, and Lisp.
Runtime Application Self-Protection (RASP) — An application security approach that encompasses a number of technological techniques to instrument an application so attacks can be monitored as they execute and, ideally, blocked in real time. In concept, RASP promises to leverage an application’s unique awareness of anomalous activity; but in practice, such anomaly detection-oriented approaches depend heavily upon baselining “normal” in order to successfully catch “anomalies.”
SANS Institute — This is the common business name of the Escal Institute Of Advanced Technologies, Inc. and provides InfoSec training and awareness.
SANS Top 25 — Top 25 software vulnerabilities as identified by the SANS Institute.
Satellite — An internal group indirectly responsible for software security. A satellite is often a virtual group that interacts directly with application teams in collaboration with and in addition to the software security group (SSG), without directly reporting to the SSG. A satellite is an important contributing factor to a successful software security initiative (SSI).
Secure Coding — The practice of writing software in such a way that it is resistant to attack by malicious people or programs.
Secure Design — The practice of constructing a software foundation that is resistant to attack by malicious people or programs, usually by following well-known secure design patterns and accounting for relevant risks that affect the given system.
Security Operations — A set of people, processes, and technology focused on monitoring, finding, and responding to security issues in operational environments.
Security Policy — A set of mandatory rules (e.g., constraints on behavior and decisions) aimed at governing certain security aspects of a system or organization.
Signoff — A process of gating software development so that code is tested throughout the software development life cycle and not only at the very end.
Smart Grid — An electrical grid that includes various types of computerized equipment (e.g., meters, appliances, generators, batteries, etc.) and the digital communications that allow them to interoperate safely and efficiently.
Social Engineering — A low-tech attack strategy relying on deceiving humans to bypass security controls.
Software Maturity Model — A process used to analyze maturity in a given business process, in this case software development.
Software Security — The overall process of designing, engineering, and testing software so that it continues to function correctly (i.e., as expected) even under malicious attack. A superset of Application Security.
Software Security Group (SSG) — An internal organizational group directly charged with managing and/or executing software security efforts to achieve the SSI objectives. See also Software Security Initiative and Satellite.
Software Security Initiative (SSI) — All of the activities undertaken for the purpose of building secure software, encompassing business, social, and organizational aspects, as well as process and technology.
Software as a Service (SaaS) — A cloud service model that makes software (and applications) hosted by a third party available over a network, usually the Internet.
Software Development Life Cycle (SDLC) — A framework defining activities performed throughout the software development (or application life cycle) process, usually spanning planning, creation, testing, deployment, maintenance, and eventual removal.
Source Code — The raw, uncompiled code itself, readable by a human. To use it, source code must first be compiled on your machine. Compare with Binary Code.
Source Code Review (SCR) — Review of software code using automated or manual approaches to identify potential security vulnerabilities. See also Static Analysis and SAST.
Spoofing — The act of faking an action or request on behalf of a legitimate source (e.g., an email message with a falsified sender address spoofing the source of the message, or assuming another security user’s identity for purposes of gaining unauthorized access to a resource).
SQL Injection — An injection attack used against SQL-based applications. The attacks typically involve the insertion of specific SQL command sequences into an application via an unexpected interface (e.g., a Web form expecting a username). The command sequences in what was supposed to be a username are then inappropriately executed by the application rather than simply using the data as input. The impact of SQL injection attacks can be quite severe because they often result in execution of arbitrary commands at a highly privileged level (e.g., the SQL database administrator).
Spyware — Malware designed to secretly monitor the activities of a user while on their computer. It either reports the user’s behavior to the malware’s designer or takes some malicious action based upon the information acquired.
Static Analysis — Code Review that attempts to identify security vulnerabilities in “static” software—typically software that has been decomposed into its most basic form (i.e., source or object code), and that is not executing while the analysis is performed. See also Source Code Review and SAST.
Static Application Security Testing (SAST) — A testing analysis of an application's source code to identify vulnerabilities without execution. Compare with DAST, IAST, and Static Analysis.
Structured Query Language (SQL) — A specialized programming language designed for managing data in relational database management systems.
Tailgating (Piggybacking) — Gaining unauthorized physical access to a building by following an authorized individual into the premises.
Taint Checking — A feature found in programming languages such as Perl and Ruby that is designed to prevent malicious code from executing on a computer. Taint specifically applies to websites compromised through SQL or buffer overflows.
Test-Driven Development (TDD) — A process for designing software components so that their behavior is defined through unit tests.
Threat — A composite of a threat agent, threat motivation, threat objective, threat method, and one or more attacks. Given dozens or hundreds of types for each (e.g., actors, motivations, objectives, methods, and attack actions), it is not feasible to make a generic list of all threats, and it may be a very long list even for a specific attack surface point on a specific system. A specific combination of threat, vulnerability, and controls yields risk (Risk = Threat x Vulnerability x Cost) that the threat can bypass the controls and exploit the vulnerability to achieve a goal undesirable to the system owners or other stakeholders. Compare with Risk .
Threat Agent — Malicious principal (typically a human being) that has one or more motives to cause harm to a system or its users. Synonymous with Threat Actor.
Threat Modeling — A type of security analysis that documents threat agents, skill, motivation, attack surface, attack vectors, discoverability, probability, impact, and mitigation information for a system to facilitate risk analysis. Identified risks are used as input to change design and to improve downstream security activities like penetration testing and secure code review.
Traceability Matrix — A table used to track the completeness and show the correctness of many-to-many relationships (e.g., software requirements vs. test cases). In threat modeling, a threat traceability matrix maps factors including threat agents, skill, motivation, attack surface, attack vectors, discoverability, probability, impact, and mitigation, providing a more formal correlation of these attributes to enhance the outcome of the threat modeling exercise.
Trojan — Software that masquerades as a beneficial program while surreptitiously destroying data and damaging the system.
Unit Testing — The process of analyzing each unit of software code separately.
Unsafe Environment Variable — A string used to configure operating system execution where use of the string or interpretation of the string is done incorrectly (or cannot ever be done safely) and represents a vulnerability.
Unsafe System Call — (1) A call into kernel software that can block, causing the CPU to become non-responsive until the call returns, effectively rendering the system inoperable. (2) A call into kernel software that inappropriately allows the caller to escalate execution or memory access privileges.
Vendor Assessment (Third-Party Assessment) — An assessment of the risk associated with using software built by a third party given their processes, maturity, resources, and the state of the software they’ve provided.
Virtual Private Network (VPN) — A method of securely connecting two local private networks (e.g., your home and your office) over a public network (e.g., the Internet), enabling systems to safely send and receive data as if they were directly connected.
Virus — A malicious software program specifically designed to replicate to other resources or systems once installed on a computer. Viruses often interfere with a computer’s operation and/or copy, corrupt, or delete data.
Vulnerability — (1) A bug in code or a flaw in software design that can be exploited to cause harm. Exploitation is usually perpetrated by an attacker, but can also occur as a result of authorized actions. (2) A lapse in security procedures or a weakness in internal controls that allow exploitation that would result in a security breach.
Vulnerability Assessment — A testing process used to identify and assign severity levels to as many security defects as possible in a given timeframe. The process may involve automated and manual techniques with varying degrees of rigor. The emphasis is comprehensive coverage. Vulnerability assessments might be targeted at different layers of technology, the most common being host-, network-, and application-layer assessments. Contrast with Penetration Testing.
Waterfall Model — A sequential software development process in which progress is achieved steadily downwards through the different phases of the process, often in a single pass with no iteration. These phases are Requirements, Architecture, Design, Code, Test, Deployment, and Operations. Contrast with Agile Development.
Web 2.0 — A category of Web technologies and applications that offer advanced information sharing, collaboration, and interoperability capabilities based on evolution from static to dynamic Web pages, user-generated content, and the weaving in of social media.
Web Application (Web App) — A client-server application where the client is a Web browser and the server is an application reached through an HTTP-based protocol.
White Box — A type of analysis or testing in which full information about the target system is used by the analysts or testers. This typically includes access to both source code and detailed design documentation, and possibly interviews with personnel involved in architecture and engineering. Contrast with Black Box assessments or tests.
White Hat— A hacker with permission to take apart or otherwise gain access to sensitive assets on a network for non-malicious reasons. Compare with Black Hat.
Worm — A self-propagating piece of malicious software that usually requires minimal interaction from victims to spread (e.g., the Morris Worm spread autonomously by scanning networks, finding specific vulnerabilities in network-exposed services, exploiting them, and then copying itself to the compromised machine.)