Must Know Security Buzzwords For

Must Know Security Buzzwords For Application Builders and Defenders

Jul 24, 2015 By Sarah Vonnegut

In security, there is always a new term being thrown around, and it’s important to know what each one means for anyone involved in the spectrum of security management, from CISO to security team to development team. Without the common language, conversations around security could feel altogether foreign for different folks.

 

Say what you will about buzzwords and how overused they may be, but not knowing them may hold back your organization by not being on top of the industry jargon. If you’re currently building or working to secure applications at your organization,  you really can’t get away without knowing the security buzzwords below. 

Application Security

The main event. Application Security is defined as the measures and countermeasures an organization takes, throughout the software development lifecycle (or SDLC, defined later) to prevent exploitable flaws and vulnerabilities from being exposed from within an application.

 

Application Security’s goal is to protect an organization’s critical data from external threats using a three-part strategy: To identify, fix, and prevent security vulnerabilities of software. The underlying idea of Application Security, often shortened as AppSec, also has three definitive elements:

  1. Reduce attack surface and minimize risk throughout the SDLC and in existing applications
  2. Prevent new risks being introduced into the software
  3. Ensure compliance with any applicable regulations and standards

 

Go Deeper: Andrew Case, @attrc, has compiled a fantastic list of recommended reading for AppSec and other areas in InfoSec.

 

Attack Surface

An application’s exposure, which includes all possible points of attack where the unauthorized use or undiscovered entry could culminate in an exploit. A major part of an application security program is dedicated to reducing the attack surface in a number of ways, including security testing, defense in depth, and remediation of discovered vulnerabilities.

 

Go Deeper: OWASP’s Attack Surface Analysis Cheat Sheet

 

Authentication

The verification mechanism or process used for entry into an application, as well as answering your security questions in order to reset a password. Authentication is performed when requiring usernames and strong passwords to login on a site and restricting different sections on a site to certain types of users. Password strength and storage requirements, how your application manages sessions, and the use of authentication protocols like FIDO and OAuth fall under the authentication umbrella.

 

Authorization

The process of authorizing a user determines whether or not a specific user has the appropriate privileges to access specific resources. Once authentication is successful, i.e. a user has logged into a banking site, authorization processes must determine which areas of the application should be accessible to this specific user.

 

Go Deeper: Read OWASP’s Guide to Authorization

 

Buffer Overflow

One of OWASP’s Top 10 vulnerabilities, buffer overflows allow for exploitation that can occur when more data is written to the block of memory than it can hold. The attack can change the applications flow and allowing an overwrite of memory. If successful, a buffer overflow will allow the attacker to control, crash, or modify the process for their advantage.

 

Go Deeper in this Wikipedia article on Buffer Overflow Protection.

 

Continuous Integration Security

Continuous Integration (CI) is a growing movement and a development practice requiring programmers to merge, or integrate, their code multiple times a day with the existing code repository. The main idea behind CI is to reduce the costs, time and issues related to the application build process by finding issues and fixing them as soon as possible during development. Automated build management tools, such as build repositories,  are heavily used in organizations deploying CI techniques.

 

Continuous Integration has exploded in popularity in the development world, and as such has posed serious opportunities as well as an array of brand new threats in how security is integrated and embedded within an organization employing agile methods. By integrating security tools and processes into the CI SDLC, security activities can be carried out at the same pace and so as not to burden the speedy CI environment. 

 

Go Deeper: Read All You Wanted to Know About Continuous Integration Security on the Checkmarx blog.

 

CISO – Chief Information Security Officer

The CISO is responsible for keeping an enterprise’s data and information assets secure, and for keeping the organization compliant for applicable regulations around securing information. While the CISO is a fairly new role to the enterprise landscape, it’s a quickly growing trend, with about 80% of organizations reporting a CISO or equivalent role in 2011, according to a Price Waterhouse Cooper survey, nearly double from five years previous, in 2006.

 

Go Deeper: Check out PWC’s Global State of Information Security Survey 2015

 

Client-Side Scripting

Web application source code that exists and is executed on the clients’, or users’, browser, as opposed to the server. These embedded scripts, written primarily in JavaScript, extend the functionality and flexibility of HTML and are primarily used for interactive elements in an application, like hiding or showing certain parts of a page to different users, mouse over effects and animations.

 

Benefits include unloading some of the burden on your application’s server resources and reducing your bandwidth, while hazards include various security issues due to how various web browsers actually execute the scripts – including and especially Cross-Site Scripting.

 

Go Deeper: Checkmarx CTO Maty Siman speaks on the Security Storms Brewing in Your (Client-Side) JavaScript in this video from OWASP AppSec EU 2014.

 

CVE – Common Vulnerabilities & Exposures

The CVE, maintained by MITRE, is a dictionary of security vulnerabilities aiming to provide one common set of names for all known InfoSec issues. As opposed to vulnerability databases like the National Vulnerability Database or the Open Source Vulnerability Database, CVE only offers a short description of each vulnerability, providing references for further reading. Its purpose is to link the databases to each other and offer more of a jumping off point.

 

Go Deeper: Get all the answers you need on the CVEs FAQ.

 

CWE – Common Weakness Enumeration

A formal list of the most critical vulnerabilities found in software, targeted towards both developers and security professionals. Community developed and, like the CVE, maintained by MITRE, the CWE is meant to help set the standard for terminology around security weaknesses and as a measuring stick for tools and teams working to find and fix the weaknesses.

 

Go Deeper: Get more answers on the CWE’s FAQ.

 

DAST – Dynamic Application Security Testing

Also known as black-box testing, DAST analyzes the application in its’ running state, both pre-production and during operation. Because DAST requires the code to be compiled, it can only take place at the latest stages of the build process. DAST tools can be great at finding vulnerabilities in an app’s live state, but fixing them can be costly in terms of time and money, so it’s best used in conjunction with other testing tools, including SAST, RASP and WAF (all discussed later).

 

False Negative

An alert that should have happened, but didn’t, most commonly in reference to security testing. The dangers of false negatives include a false sense of security as well as the fact that vulnerabilities that didn’t trigger the alarm go unmitigated.

 

False Positive

An alert where an expected or allowed behavior or action is triggered as malicious or insecure. The biggest danger of false positives involve drowning out actual, legitimate alerts when rules aren’t correctly set.

 

Go Deeper with this Help Net Security article.

 

Internet of Things (IoT)

The network of everyday physical devices which are virtually connected online and exchange data between each other, allowing for deeper integration between the physical and online worlds.

 

Dependent on the cloud, IoT has exploded in the last few years due to the rapid adoption of mobile devices and applications, as well as more cost-effective benefits the cloud provides for businesses with data to store and process.

 

While connected and embedded ‘things’ have been around for over 30 years, the companies producing Internet of Things devices (or devices with IoT components, like the recent Jeep hacking story) have really just begun to embrace the work necessary to ‘secure all the things.’

 

Go Deeper: Read the OWASP Top 10 for IoT, Explained for more on securing the IoT.

 

OWASP Top 10

A list of the riskiest and most dangerous application security vulnerabilities, managed by the Open Web Application Security Project (OWASP) and widely adopted and discussed by the AppSec community and security industry at large.

 

The aim of the OWASP Top 10 is to raise awareness among organizations around the world about the potential risks of certain web application vulnerabilities and work towards getting more attention focused on application security. Targeted towards developers and security practitioners, the list is meant to guide those testing code on how to find and mitigate issues, and includes what risks they pose if left unfixed.

 

Go Deeper: Once you’ve read through the list, check out their awesome Cheat Sheet to help guide you through testing.

 

Pen Testing, or Penetration Testing

A form of manual security testing whose goal is to determine if an application is susceptible to attack, and if so, which areas need to be fixed or hardened. Pen Testers will often use automated tools to help them try and break into a system, much like the hackers they’re trying to mimic, but with the very important difference that pen testers are asked to do so.

 

Go Deeper: Read this article on Pentesting Best Practices

 

RASP, or Runtime Application Self-Protection

An AppSec tool designed to protect an application in its running state, responding to suspicious activity by verifying that it is malicious and if so, blocking it. RASP technologies, while fairly new to the industry, pose a major advantage to WAF solutions by ‘listening in’ to how data is being processed in critical areas of an application, allowing an application using RASP to monitor it in real time.

 

Go Deeper: RASP – A Must-Have Security Technology

 

SAST, or Static Application Security Testing

Also called white-box testing, SAST analyzes application code for security vulnerabilities, reporting issues during development, so that code can be fixed before release. SAST tools are able to integrate with moving parts throughout the development process, from the developer’s IDE (integrated Development Environment), to tools used for build management and bug tracking, making it easier for security bugs to be treated more like quality bugs.

 

Secure SDLC, or sSDLC

The SDLC is comprised of specific phases within a development process during which software is planned, designed, tested and deployed.  A Secure SDLC is a Life Cycle that embeds security processes and testing into each of its phases, which are typically divided into analysis and design, development, testing and implementation, and finally, deployment.

 

Fitting security activities into each area, while it can pose a challenge in setting up and ‘perfecting’, can pay off quickly due to the amount of time and money saved by building security into the application and fixing bugs as soon as they arise.

 

Go Deeper with this Business Case for Building Security into the SDLC

 

Server-Side Scripting

Code is executed on the server before the data is sent to the user’s browser, unlike client-side scripting where the code can be executed in the user’s browser itself. Server-side scripting uses PHP, Java and C# mostly to write code that executes on the server. A major application for server-side scripting is with search engines, as well as most general page displays.  

Go Deeper: For more on the differences between client-side and server-side, check out the top answer on a StackExchange question, which includes terrific examples of each. 

 

SQL Injection, or SQLi

A method of attacking websites by changing SQL statements through the manipulation of the application’s input. SQL vulnerabilities arise when input from a user isn’t properly filtered or sanitized and is still turned into an SQL statement.

As the number one risk on OWASP’s Top 10 of 2013, SQLi can pose major threats to organizations, due to the possible exposure of data that could be released through an SQLi attack, along with the attacks simple nature. Proper mitigation, including whitelisting and sanitizing input are highly recommended to deter attacks caused by SQLi.

 

Go Deeper: Read Troy Hunt’s Everything You Wanted To Know About SQL Injection

 

Vulnerability

Programmatic functions holding critical data in an insecure way. They are holes that can allow attackers in, who can then siphon out any data discovered while inside the application. Caused by insecure code, vulnerabilities pose major risks to organizations.

 

To keep vulnerabilities to a minimum, businesses need to ensure a secure development lifecycle for applications, including a healthy amount of security testing and security awareness for employees handling code.

 

XSS, Cross-Site Scripting

An injection attack, XSS occurs when a malicious, client-side script is injected into sites that otherwise are trustworthy. As number two on the OWASP Top 10 2013, XSS vulnerabilities can be found on around 70% of web apps and around 95% of those could be used for malicious drive-by attacks.

 

XSS attacks take advantage of the fact that the user’s browser doesn’t know which scripts are unsafe, allowing the malicious script access to sensitive information stored on the client side.

 

Go Deeper: Read the Ultimate Guide to XSS on our blog.

 

What other AppSec Buzzwords do you use? Comment below!

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.