Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

Application Security Glossary

CNI

Container Network Interface. It is an open source project hosted by the CNCF to provide a specification and libraries for configuring network interfaces in Linux containers.

Codebashing

Codebashing is Checkmarx’s is an in-context eLearning platform that sharpens the skills developers need to fix vulnerabilities and write secure code. Expanding on the “learn by doing” concept, Codebashing teaches developers the principals of secure coding, and helps them sharpen application security skills in the most efficient way. It is also Software as a Service (SaaS) offering.

Container

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

Correlation

Correlation, or a correlation engine is an engine which based on findings from different other engines (SAST, KICS, SCA, etc.) correlates between their findings in order to discover things which cannot be found by any engine alone. For example, a correlation between an IaC scan and a SAST scan to add context to the SAST scan and then mark it as “not-exploitable”

Cross-Site Request Forgery (CSRF) attacks

How CSRF affects companies

Cross-Site Request Forgery (CSRF) is a vulnerability which can be exploited on vulnerable web applications. The exploit is successful when a web application accepts a malicious request that it would normally reject. In this case, the web application is tricked into believing that a specific user has been authenticated with the website. But in reality, it is a forged authentication. Once the vulnerability has been successfully exploited, the attacker can gain access to specific functions of the web application.

Read More >>

Cross-Site Scripting (XSS) Attacks

Cross-Site scripting defined

Cross-Site scripting, also known as XSS, is the most common application vulnerability exploit found in web applications today. This code is executed via the unsuspecting user’s web browser by manipulating scripts such as JavaScript and HTML. A successful XSS exploit can result in scripts being embedded into a web page. These scripts are executed every time a user visits the page or whenever a specific action is performed. Here are some points to remember about XSS:

  • XSS is a vulnerability that can be exploited by infecting applications.
  • The victim is actually the user that unknowingly visits a page or performs an action that triggers the exploit.
  • The exploit is most-commonly triggered via JavaScript.

Read More >>

CVE

What is CVE?

CVE, which stands for Common Vulnerabilities and Exposures, is an encyclopedia of  unique, publicly known security vulnerabilities and exposures maintained by the MITRE Corporation. The database, which was launched in 1999, is free and available for public use. In the CVE, a vulnerability is a mistake in the software which could be used by a hacker to infiltrate the application or network, while an exposure is a mistake that could be used as part of the process to accessing an app or network.

Read More >>

CVS Static Code Analysis

CVS (Concurrent Versions System) is a system for managing the source code within a development team. It allows for collaborative development by supporting a means of tracking each change made to the source code over any period of time. CVS was one of the first pieces of software to support this functionality and generally today, it is used in older operating environments as there are more powerful tools available on the market now. However, CVS static code analysis isn’t supported by CVS itself. External static code analysis solutions that can integrate into CVS and pull sources from it should be used.

Read More >>

CWE

The Common Weakness Enumeration Specification, shortened as CWE, is an formal list of common, real-world software vulnerabilities to offer one common language to all the different entities developing and securing software. CWE’s ultimate goal is to help the security testing industry mature in their application security programs and the security testing of their projects.

The CWE is written in one common language to incl for the causes of security vulnerabilities found in software and applications.  It’s a community project which is contributed to and designed by developers and software engineers alike from around the world.

CWE focuses on several areas of software development for enterprise level entities. One area is where Software Assurance and resources are dedicated to ensuring that the supply chain for software is protected from vulnerabilities. This looks at incrementally improving approaches to software assurance that reduce risk and the chance of new code being exposed to known problems.

Read More >>

Cybersecurity

Cybersecurity can be defined as the body of processes, practices, safeguards, and technologies an organization uses in the protection and defense of information systems. Along with information systems protection, cybersecurity is also concerned with protecting the software and hardware against attack.

Read More >>