Application security
Terms related to application security, including procedural definitions for preventing software vulnerabilities and words and phrases about secure code development.NEX - ZOO
- next-generation firewall (NGFW) - A next-generation firewall (NGFW) is a part of the third generation of firewall technology that is implemented in either hardware or software and is capable of detecting and blocking sophisticated attacks by enforcing security policies at the application, port and protocol levels.
- one-time password (OTP) - A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session.
- OneID - OneID is a digital identity management service that provides a repository for usernames and passwords, eliminating the need for people to remember numerous arcane character sequences.
- open redirect - Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs.
- open security - Open security is an approach to safeguarding software, hardware and other information system components with methods whose design and details are publicly available.
- Open Source Hardening Project - The Open Source Hardening Project is an initiative of the United States Department of Homeland Security, created to improve the security of open source code.
- OS commanding - OS commanding is a method of attacking a Web server by remotely gaining access to the operating system (OS) and then executing system commands through a browser.
- out-of-band patch - An out-of-band patch is a patch released at some time other than the normal release time.
- OWASP (Open Web Application Security Project) - The Open Web Application Security Project (OWASP) is a not-for-profit group that helps organizations develop, purchase, and maintain software applications that can be trusted.
- password hardening - Password hardening is any one of a variety of measures taken to make it more difficult for an intruder to circumvent the authentication process.
- pastebin - A pastebin is a Web application that allows users to upload and share text online.
- Pen Testing as a Service (PTaaS) - Pen testing as a service (PTaaS) is a cloud service that provides information technology (IT) professionals with the resources they need to conduct and act upon point-in-time and continuous penetration tests.
- personal health record (PHR) - A personal health record (PHR) is a collection of health-related information that is documented and maintained by the individual it pertains to.
- pharma hack - The pharma hack is an exploit that takes advantage of vulnerabilities in WordPress or Joomla documents, causing search engines, notably the one hosted by Google, to return ads for pharmaceutical products along with legitimate listings.
- polymorphic virus - A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or 'morph,' making it difficult to detect with antimalware programs.
- pretexting - Pretexting is a form of social engineering in which one individual lies to obtain privileged data about another individual in order to engage in identity theft or corporate espionage.
- Pretty Easy Privacy (pEp) - Pretty Easy Privacy (pEp) is an open source encryption tool designed to make it simple for users to protect their online communications.
- principle of least privilege (POLP) - The principle of least privilege (POLP), an important concept in computer security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.
- private cloud (internal cloud or corporate cloud) - Private cloud is a type of cloud computing that delivers similar advantages to public cloud, including scalability and self-service, but through a proprietary architecture.
- privilege bracketing - Privilege bracketing is the practice of limiting temporarily increased permission levels to the briefest possible time period.
- proxy hacking - Proxy hacking, also known as proxy hijacking, is an attack technique designed to supplant an authentic Web page in a search engine's index and search results pages.
- pseudo-anonymity - Pseudo-anonymity is the appearance – but not the reality--of anonymity online.
- pseudonymity - Pseudonymity is the near-anonymous state in which a user has a consistent identifier that is not their real name: a pseudonym.
- Pwn2Own - Pwn2Own is an annual hacking competition sponsored by security vendor TippingPoint and held at the CanSecWest security conference.
- Qualified Security Assessor (QSA) - A Qualified Security Assessor (QSA) is a person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.
- ransomware - Ransomware is a subset of malware in which the data on a victim's computer is locked -- typically by encryption -- and payment is demanded before the ransomed data is decrypted and access is returned to the victim.
- RAT (remote access Trojan) - A remote access Trojan (RAT) is a malware program that gives an intruder administrative control over a target computer.
- real-time location system (RTLS) - A real-time location system (RTLS) is one of a number of technologies used to pinpoint the current geographic position and location of a target.
- remote deposit capture (RDC) - Remote deposit capture (RDC) is a system that allows a customer to scan checks remotely and transmit the check images to a bank for deposit, usually via an encrypted Internet connection.
- remote desktop - Remote desktop is a program or an operating system feature that allows a user to connect to a computer in another location, see that computer's desktop and interact with it as if it were local.
- Report on Compliance (ROC) - A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS audit.
- Rock Phish - Rock Phish is both a phishing toolkit and the entity that publishes the kit, either a hacker, or, more likely, a sophisticated group of hackers.
- runtime application self-protection (RASP) - Runtime application self-protection (RASP) is security software that monitors application inputs and behavior and takes action to deal with suspicious events automatically or, if necessary, alert an administrator.
- scareware - Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software.
- Security as a Service (SaaS) - Security-as-a-service (SaaS) is an outsourcing model for security management.
- security by design - Security by design is an approach to software and hardware development that seeks to make systems as free of vulnerabilities and impervious to attack as possible through such measures as continuous testing, authentication safeguards and adherence to best practices.
- security event - A security event is a change in the everyday operations of a network or IT service, indicating that an security policy may have been violated or a security safeguard may have failed.
- security information management (SIM) - Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs.
- shadow app - A shadow app is a software program that is not supported by an employee's information technology (IT) department.
- shrink wrap license - A shrink wrap license is an end user agreement (EULA) that is enclosed with software in plastic-wrapped packaging.
- single-factor authentication (SFA) - Single-factor authentication (SFA) is the traditional security process that requires a user name and password before granting access to the user.
- SmartScreen - SmartScreen is a Microsoft filtering tool designed to detect and block suspicious and malicious sites, applications and files.
- soft token - A soft token is a software-based security token that generates a single-use login PIN.
- software attack surface - The software attack surface is the complete profile of all functions in any code running in a given system that are available to an unauthenticated user.
- software-defined perimeter (SDP) - The software-defined perimeter, or SDP, is a security framework that controls access to resources based on identity.
- SSI injection - SSI injection is a form of attack that can be used to compromise Web sites that contain SSI (server-side include) statements.
- static application security testing (SAST) - Static application security testing (SAST) is a program designed to analyze application (app) source code in order to find security vulnerabilities or weaknesses that may open an app up to a malicious attack.
- streaming application - A streaming application is a program that has its necessary components downloaded as needed instead of being installed ahead of time on a computer.
- TailsOS - TailsOS is a LiveDistro-based operating system that is configured to run from removable storage and to leave no information stored on the computer after the user’s session.
- TDL-4 (TDSS or Alureon) - TDL-4 is sophisticated malware that facilitates the creation and maintenance of a botnet.
- Tilded platform - The Tilded platform is a malicious software communicator specifically designed as a vessel for transmitting malware undetected.
- tokenization - Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
- variable manipulation - Variable manipulation is a method of specifying or editing variables in a computer program.
- virtual appliance - A virtual appliance is a virtual machine image file consisting of a pre-configured operating system environment and a single application.
- virtual machine escape - Virtual machine escape is an exploit in which the attacker runs code on a VM that allows an operating system running within it to break out and interact directly with the hypervisor.
- virtual patching - Virtual patching is the quick development and short-term implementation of a security policy meant to prevent an exploit from occurring as a result of a newly discovered vulnerability.
- VMware Identity Manager - VMware Identity Manager is an Identity as a Service (IDaaS) offering that provides single sign-on (SSO) capabilities and user-based controls for web, cloud and mobile applications.
- Weave - Weave is a set of browser enhancements and associated services from Mozilla Labs that allow users to store personal information on Mozilla servers.
- Web application firewall (WAF) - A web application firewall (WAF) is a firewall that monitors, filters and blocks data packets as they travel to and from a website or web application.
- Web Application Proxy - Web Application Proxy is a service in Windows Server 2012 R2 that allows end users to access applications from outside the corporate network on any device.
- Web Application Security Consortium (WASC) - The Web Application Security Consortium (WASC) is a worldwide organization devoted to the establishment, refinement and promotion of Internet security standards.
- Web Services Trust Language (WS-Trust) - Web Services Trust Language (WS-Trust) is a specification that uses the secure messaging mechanisms of WS-Security to facilitate trust relationships in diverse Web service environments.
- WebAuthn API - The Web Authentication API (WebAuthn API) is a credential management application program interface (API) that lets web applications authenticate users without storing their passwords on servers.
- WikiScanner - WikiScanner is a free, Web-based database application that tracks the source IP addresses of computers used to edit anonymous Wikipedia entries.
- wildcard certificate - A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains.
- Windows Genuine Advantage (WGA) - Windows Genuine Advantage (WGA) is a program that investigates Windows -based computers to be sure that their copy of the Windows operating system (OS) is legitimate.
- X.509 certificate - An X.509 certificate is a digital certificate that uses the widely accepted international X.
- XML bomb - An XML (Extensible Markup Language) bomb is a small but dangerous message that is composed and sent with the intent of overwhelming the program that parses XML files.
- zero-day (computer) - Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.
- Zoombombing - Zoombombing is a type of cyber-harassment in which an individual or a group of unwanted and uninvited users interrupt online meetings over the Zoom video conference app.