Active Scan – is when a vulnerability scanner actively sends requests to a running application with the intent of exposing and identifying vulnerabilities.
Application Security Testing (AST) – the process of identifying holes in an application’s source code throughout the software development lifecycle.
Attack Surface – all the different points in which an attacker can penetrate a software application.
Attack Vectors – the channel by which an attacker can enter a software application to perform malicious tasks.
Authentication – the process of confirming that security credentials match those already in the system.
Authorization – the process of providing permission to users to access a software application or certain areas of that application.
Black-box Testing – a type of application security testing that analyzes the software from the outside looking in.
Buffer Overflows – is when too much data is attempted to be stored in a temporary data storage area (known as a buffer) and overwrites neighboring memory locations.
Common Vulnerabilities and Exposures (CVE®) – a free public resource of publicly known information security vulnerabilities and exposures maintained by MITRE Corporation.
Common Weakness Enumeration (CWE™) – a free, community-developed resource of software weaknesses maintained by MITRE Corporation.
Cross-Site Request Forgery (CSRF) – one of the OWASP Top 10 software vulnerabilities where a user, unknowingly, sends a request to perform an unwanted action on a web application of which they are an authorized user.
Cross-Site Scripting (XSS) – an OWASP Top 10 software vulnerability where attackers are able to fold malicious content into web-based applications.
Data Breach – is when protected data has been accessed by an unauthorized source.
Dependency Checking – the process of scanning applications and their dependent libraries to determine if there are any known vulnerabilities.
Dynamic Application Security Testing (DAST) – is also known as black-box testing, where the testing tools conduct their analysis in real-time while the application is running.
Encryption – the process of converting electronic data into a different format where you need a secret key or password to decipher it.
Exploit – a weakness in a software application’s code that can expose it to potential attacks.
Fuzz Testing – an application security testing process that injects vast amounts of random data into an application aimed at uncovering errors and security gaps.
Hard-coded Passwords – is when a password is used in the source code of an application and “cannot be change without patching the software.”
Hybrid Application Security Testing (HAST) – the application security testing methodology that combines the strengths of both static and dynamic application security and performs a behavioral assessment of the application.
Manual Code Review – the analysis of an application’s source code done to identify potential vulnerabilities.
Open Source Software – is software that is developed by an open community and can be used, modified or enhanced by anyone.
OWASP – a non-profit Open Web Application Security Project that helps organizations develop, purchase and maintain secure software applications.
Passive Scan – a method of detecting vulnerabilities in which, the scanner passively monitors the response of a running application to identify vulnerabilities.
Penetration Testing – popularly referred to as pentesting, is a testing approach that proactively runs ethical attacks on an application in an effort to identify security weaknesses and to validate defense mechanisms.
Software Assurance (SwA) – the level of certainty that an application is void of any potential vulnerabilities and works in the way in which it was designed.
Software Development Lifecycle (SDLC) – the process of developing a software application from the initial planning and development through to the testing, deploying and ongoing maintenance.
Software Supply Chain – the process of integrating proprietary and third-party code to develop a software application.
Software Vulnerability Management Systems – solutions that provide the ability to manage the software security testing process from finding and prioritizing to fixing and mitigating vulnerabilities.
Source Code Analysis (SCA) – the automated process of testing source code to identify weaknesses before it is put into production.
SQL Injection – a class of software vulnerabilities where malicious SQL queries are injected via malformed user input.
Static Application Security Testing (SAST) – also known as white-box testing, this testing methodology analyzes the application source, byte or binary code for weaknesses during the programming or testing phases of the software development lifecycle.
Threat Modeling – a structured approach that identifies, quantifies and addresses security risk from the potential attacker’s point of view.
Vulnerability – a weakness in an application that could be a defect in the design or a bug that enables an attacker to act maliciously.
Vulnerability Data Flow – the flow of data for a vulnerability from source to sink detailing how a vulnerability is exposed.
Vulnerability Scanners – an automated program used to analyze source code to identify weaknesses in an application.
Weakness – a flaw or glitch is a software application.
White-box Testing – an application security testing method that is focused on testing the internal aspects of an application.
Zero Day Vulnerability – a weakness in a software application that goes undiscovered or uncorrected and is then exploited by malicious attackers before it is detected and can be fixed by the vendor.