Software Security Knowledge Database

This Knowledge Database is an information resource for members of the software security community to reference a range of topics and disciplines within cyber security including software security, software development, information security, network security and more.

Agile Methodology
The Agile software development methodology is based on collaborative decision making between requirements and solutions teams, and a cyclical, iterative progression of producing working software.

Binary Code
Binary code is the fundamental form of a piece of programming data that is directly interpreted by a computer. In a sense, it is the direct language of the computer translated from human-readable source code.

Cloud Computing
Security is one of the top reasons why companies don’t use the Cloud. However, in reality, the Cloud is more secure than local servers. 

Code Review
Secure code review is the strategic review of a piece of software’s code to identify potential security vulnerabilities. Incorporating this security activity at an early stage of the development life cycle reduces overhead costs and the time it takes developers to remediate security bugs.

Cross-site Request Forgery
A Cross-Site Request Forgery (CSRF) attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent.

Cross-site Scripting (XSS)
Cross-Site Scripting (XSS) is an attack that injects malicious executable scripts into the code of a trusted application or website. 

Cryptography
Cryptography provides for secure communication in the presence of malicious third-parties—known as adversaries.

Ethical Hacking
Ethical hacking involves an authorized attempt to gain unauthorized access to a computer system, application, or data. Ethical hackers use their knowledge to secure and improve the technology of organizations. 

HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to improve the efficiency of the U.S. healthcare system by standardizing best practices for maintaining the security and privacy of healthcare data.

Internet of Things
The Internet of Things (IoT) exemplifies the trend of formerly autonomous devices becoming increasingly connected (directly or indirectly) to the internet. 

LDAP Injection
LDAP injection is a vulnerability in which queries are constructed from untrusted input without prior validation or sanitization.

Mobile Application Security Testing
Mobile application security testing involves testing a mobile app in ways that a malicious user would try to attack it. Think of it as a pre-production check to ensure that security controls in an application work as expected, while safeguarding against implementation errors.

Network Security
Network security is the process of preventing unauthorized activity across a given networking infrastructure. An attacker only has to be right one time to compromise a network. However, the team responsible for securing an organization’s network has no room for error.

Open Source Software
Open source software (OSS), also known as free and open source software (FOSS), refers to source code that is available for use, modification, and distribution by the general public.

OWASP Top 10
The Open Web Application Security Project (OWASP) Top 10 is an awareness document for Web application security. The list represents a consensus among leading security experts regarding the greatest software risks for Web applications. 

Phishing
Phishing is a type of social engineering attack that aims to exploit the naivety and/or gullibility of legitimate system users.

Red Teaming
The purpose of conducting a red teaming assessment is to demonstrate how real world attackers can combine seemingly unrelated exploits to achieve their goal.

Security Risk Assessment
A security risk assessment identifies, assesses, and implements key security controls in applications. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective.

Social Engineering
A psychological attack against a company or an organization that aims to exploit people's tendency to trust others.

Software Architecture
The software architecture of a system depicts the system’s organization or structure, and provides an explanation of how it behaves.

Software Development Life Cycle
The Software Development Life Cycle (SDLC) is a framework that defines activities performed throughout the software development process.

SQL Injection
SQL injection is a major concern when developing Web applications. It occurs when the application accepts a malicious user input and then uses it as a part of SQL statement to query a backend database.

Vendor risk management
When an organization partners with a third party, confidential data is often shared with that vendor, and potentially to external parties. For this reason, vendor risk management is a highly important security topic that firms should account for in a security initiative.

Vulnerability Assessment
Conducting vulnerability assessments help organizations identify vulnerabilities in their software and supporting infrastructure before a compromise can take place.

Web Application Security
Web applications, like all software, inevitably contain defects. Some of these defects constitute actual vulnerabilities that can be exploited, introducing risks to organizations. Web application security defends against such defects.