In security, there is always a new term being thrown around, and it’s important to know what each one means for anyone involved in the spectrum of security management, from CISO to security team to development team. Without the common language, conversations around security could feel altogether foreign for different folks.
Say what you will about buzzwords and how overused they may be, but not knowing them may hold back your organization by not being on top of the industry jargon. If you’re currently building or working to secure applications at your organization, you really can’t get away without knowing the security buzzwords below.
The main event. Application Security is defined as the measures and countermeasures an organization takes, throughout the software development lifecycle (or SDLC, defined later) to prevent exploitable flaws and vulnerabilities from being exposed from within an application.
Application Security’s goal is to protect an organization’s critical data from external threats using a three-part strategy: To identify, fix, and prevent security vulnerabilities of software. The underlying idea of Application Security, often shortened as AppSec, also has three definitive elements:
An application’s exposure, which includes all possible points of attack where the unauthorized use or undiscovered entry could culminate in an exploit. A major part of an application security program is dedicated to reducing the attack surface in a number of ways, including security testing, defense in depth, and remediation of discovered vulnerabilities.
Go Deeper: OWASP’s Attack Surface Analysis Cheat Sheet
The verification mechanism or process used for entry into an application, as well as answering your security questions in order to reset a password. Authentication is performed when requiring usernames and strong passwords to login on a site and restricting different sections on a site to certain types of users. Password strength and storage requirements, how your application manages sessions, and the use of authentication protocols like FIDO and OAuth fall under the authentication umbrella.
The process of authorizing a user determines whether or not a specific user has the appropriate privileges to access specific resources. Once authentication is successful, i.e. a user has logged into a banking site, authorization processes must determine which areas of the application should be accessible to this specific user.
Go Deeper: Read OWASP’s Guide to Authorization
One of OWASP’s Top 10 vulnerabilities, buffer overflows allow for exploitation that can occur when more data is written to the block of memory than it can hold. The attack can change the applications flow and allowing an overwrite of memory. If successful, a buffer overflow will allow the attacker to control, crash, or modify the process for their advantage.
Go Deeper in this Wikipedia article on Buffer Overflow Protection.
Continuous Integration (CI) is a growing movement and a development practice requiring programmers to merge, or integrate, their code multiple times a day with the existing code repository. The main idea behind CI is to reduce the costs, time and issues related to the application build process by finding issues and fixing them as soon as possible during development. Automated build management tools, such as build repositories, are heavily used in organizations deploying CI techniques.
Continuous Integration has exploded in popularity in the development world, and as such has posed serious opportunities as well as an array of brand new threats in how security is integrated and embedded within an organization employing agile methods. By integrating security tools and processes into the CI SDLC, security activities can be carried out at the same pace and so as not to burden the speedy CI environment.
Go Deeper: Read All You Wanted to Know About Continuous Integration Security on the Checkmarx blog.
The CISO is responsible for keeping an enterprise’s data and information assets secure, and for keeping the organization compliant for applicable regulations around securing information. While the CISO is a fairly new role to the enterprise landscape, it’s a quickly growing trend, with about 80% of organizations reporting a CISO or equivalent role in 2011, according to a Price Waterhouse Cooper survey, nearly double from five years previous, in 2006.
Go Deeper: Check out PWC’s Global State of Information Security Survey 2015
Benefits include unloading some of the burden on your application’s server resources and reducing your bandwidth, while hazards include various security issues due to how various web browsers actually execute the scripts – including and especially Cross-Site Scripting.
The CVE, maintained by MITRE, is a dictionary of security vulnerabilities aiming to provide one common set of names for all known InfoSec issues. As opposed to vulnerability databases like the National Vulnerability Database or the Open Source Vulnerability Database, CVE only offers a short description of each vulnerability, providing references for further reading. Its purpose is to link the databases to each other and offer more of a jumping off point.
Go Deeper: Get all the answers you need on the CVEs FAQ.
A formal list of the most critical vulnerabilities found in software, targeted towards both developers and security professionals. Community developed and, like the CVE, maintained by MITRE, the CWE is meant to help set the standard for terminology around security weaknesses and as a measuring stick for tools and teams working to find and fix the weaknesses.
Go Deeper: Get more answers on the CWE’s FAQ.
Also known as black-box testing, DAST analyzes the application in its’ running state, both pre-production and during operation. Because DAST requires the code to be compiled, it can only take place at the latest stages of the build process. DAST tools can be great at finding vulnerabilities in an app’s live state, but fixing them can be costly in terms of time and money, so it’s best used in conjunction with other testing tools, including SAST, RASP and WAF (all discussed later).
An alert that should have happened, but didn’t, most commonly in reference to security testing. The dangers of false negatives include a false sense of security as well as the fact that vulnerabilities that didn’t trigger the alarm go unmitigated.
An alert where an expected or allowed behavior or action is triggered as malicious or insecure. The biggest danger of false positives involve drowning out actual, legitimate alerts when rules aren’t correctly set.
The network of everyday physical devices which are virtually connected online and exchange data between each other, allowing for deeper integration between the physical and online worlds.
Dependent on the cloud, IoT has exploded in the last few years due to the rapid adoption of mobile devices and applications, as well as more cost-effective benefits the cloud provides for businesses with data to store and process.
While connected and embedded ‘things’ have been around for over 30 years, the companies producing Internet of Things devices (or devices with IoT components, like the recent Jeep hacking story) have really just begun to embrace the work necessary to ‘secure all the things.’
Go Deeper: Read the OWASP Top 10 for IoT, Explained for more on securing the IoT.
A list of the riskiest and most dangerous application security vulnerabilities, managed by the Open Web Application Security Project (OWASP) and widely adopted and discussed by the AppSec community and security industry at large.
The aim of the OWASP Top 10 is to raise awareness among organizations around the world about the potential risks of certain web application vulnerabilities and work towards getting more attention focused on application security. Targeted towards developers and security practitioners, the list is meant to guide those testing code on how to find and mitigate issues, and includes what risks they pose if left unfixed.
A form of manual security testing whose goal is to determine if an application is susceptible to attack, and if so, which areas need to be fixed or hardened. Pen Testers will often use automated tools to help them try and break into a system, much like the hackers they’re trying to mimic, but with the very important difference that pen testers are asked to do so.
Go Deeper: Read this article on Pentesting Best Practices
An AppSec tool designed to protect an application in its running state, responding to suspicious activity by verifying that it is malicious and if so, blocking it. RASP technologies, while fairly new to the industry, pose a major advantage to WAF solutions by ‘listening in’ to how data is being processed in critical areas of an application, allowing an application using RASP to monitor it in real time.
Go Deeper: RASP – A Must-Have Security Technology
Also called white-box testing, SAST analyzes application code for security vulnerabilities, reporting issues during development, so that code can be fixed before release. SAST tools are able to integrate with moving parts throughout the development process, from the developer’s IDE (integrated Development Environment), to tools used for build management and bug tracking, making it easier for security bugs to be treated more like quality bugs.
The SDLC is comprised of specific phases within a development process during which software is planned, designed, tested and deployed. A Secure SDLC is a Life Cycle that embeds security processes and testing into each of its phases, which are typically divided into analysis and design, development, testing and implementation, and finally, deployment.
Fitting security activities into each area, while it can pose a challenge in setting up and ‘perfecting’, can pay off quickly due to the amount of time and money saved by building security into the application and fixing bugs as soon as they arise.
Go Deeper with this Business Case for Building Security into the SDLC
Code is executed on the server before the data is sent to the user’s browser, unlike client-side scripting where the code can be executed in the user’s browser itself. Server-side scripting uses PHP, Java and C# mostly to write code that executes on the server. A major application for server-side scripting is with search engines, as well as most general page displays.
Go Deeper: For more on the differences between client-side and server-side, check out the top answer on a StackExchange question, which includes terrific examples of each.
A method of attacking websites by changing SQL statements through the manipulation of the application’s input. SQL vulnerabilities arise when input from a user isn’t properly filtered or sanitized and is still turned into an SQL statement.
As the number one risk on OWASP’s Top 10 of 2013, SQLi can pose major threats to organizations, due to the possible exposure of data that could be released through an SQLi attack, along with the attacks simple nature. Proper mitigation, including whitelisting and sanitizing input are highly recommended to deter attacks caused by SQLi.
Programmatic functions holding critical data in an insecure way. They are holes that can allow attackers in, who can then siphon out any data discovered while inside the application. Caused by insecure code, vulnerabilities pose major risks to organizations.
To keep vulnerabilities to a minimum, businesses need to ensure a secure development lifecycle for applications, including a healthy amount of security testing and security awareness for employees handling code.
An injection attack, XSS occurs when a malicious, client-side script is injected into sites that otherwise are trustworthy. As number two on the OWASP Top 10 2013, XSS vulnerabilities can be found on around 70% of web apps and around 95% of those could be used for malicious drive-by attacks.
XSS attacks take advantage of the fact that the user’s browser doesn’t know which scripts are unsafe, allowing the malicious script access to sensitive information stored on the client side.
Go Deeper: Read the Ultimate Guide to XSS on our blog.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.