Application security translation guide
Like any specialist discipline application security (app sec – even the name needs translating!) has its own technical language that’s second nature for insiders like us but generally not so easy even for pretty technical people looking in from the outside.
As we believe that clear communication is one of the first steps towards great security we’ve created our insider’s guide to common technical terms and their meanings below.
It’s a living piece of work so if you can’t find what you need or have something to add please contact us and we’ll do our best to update the list accordingly.
If you need help in understanding or translating application security speak into business speak (or the other way around) give us a shout and we’ll be your guides.
Tech term: A means of restricting access to files, referenced functions, URLs, and data based upon the identity of the users and/or groups to which they belong.
Business term: The functionality, locations and data a user is allowed access to when using a system. These permissions may be individual or group based.
Tech term: Any attack that is detectable as an attack by the target.
Business term: Someone is attacking your site/app and you know it.
Tech term: Web Application Security, including mobile apps and IOT.
Business term: Security for your website/web system, mobile app or ‘internet of things’ devices.
Tech term: The process of verifying that someone or something is the actual entity they claim to be.
Business term: Authentication is what happens when you successfully log into a system.
Tech term: Determining the permissions a user has after authentication.
Business term: What you are permitted to do when logged into a system after authentication.
Tech term: Malicious code inserted into a program for the purposes of providing the authors access to the running program.
Business term: An entry point to your systems that you don’t want.
Tech term: A hacker who violates computer security for little reason beyond maliciousness or personal gain.
Business term: See Tech term
Tech term: When performing input validation, the set of items that, if matched, results in the input being considered invalid.
Business term: A predetermined set of values for any given input field that will automatically be rejected as invalid. If no invalid items are found, the result is valid.
Tech term: An attack on an encryption algorithm where the encryption key for a cyphertext is determined by trying to decrypt with every key until valid plaintext is obtained.
Business term: Imagine a combination lock. Unlock it by trying every possible combination until it opens, possible because we allow unlimited tries.
Tech term: Comprehensive, Lightweight Application Security Process. An activity driven, role based set of process components whose core contains formalized best practices for building security into existing or new build software.
Business term: A methodology for building secure software.
Tech term: Review of code for security problems.
Business term: Audit of computer software code for security flaws.
Tech term: Cross-site request forgery is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help from social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attackers choosing. A successful CSRF exploit can compromise end user data and operation in the case of a normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
Business term: A way in which users are manipulated to carry out unwanted actions and attacks whilst logged into a web system.
Tech term: A class of problems resulting from insufficient input validation where one user can add content to a web site that can be malicious when viewed by other users of the web site.
Business term: This occurs when a website includes content from another website and this secondary website has been compromised. Even though the main website visited is secure the security problem caused at the secondary website is being delivered unbeknownst to the main website. e.g. website A contains a plug in containing content from website B. You trust website A, therefore by default you are also trusting website B. If the content in website B is compromised such that it contains something malicious, then your trusted website A could deliver the same malicious content. This is one of, if not the most prevalent security vulnerabilities affecting websites/web applications.
Tech term: Any attack on a data connection where the attacker simply records or views data instead of tampering with the connection.
Business term: Exactly as it sounds.
Tech term: A strategy of setting up resources which an attacker believes are real but are in fact designed specifically to catch the attacker.
Business term: An internet resource used to catch hackers.
Tech term: A component of risk, the impact describes the negative effect that results from a risk being realised.
Business term: The impact of a realised risk can include financial loss, legal and regulatory issues, brand and reputation damage, data loss, breach of contact, etc. …
Tech term: Internet of things.
Business term: The network of physical objects with embedded electronics, software, sensors and network connectivity which enables these objects to collect and exchange data.
Tech term: The act of determining that the data input to a program is sound.
Business term: Ensuring that any forms or such on your website/app which users use to input data, can only contain the type of data that they are meant to collect. This should be implemented in such a way as to include protection against SQL Injection.
Tech term: A component of risk, likelihood describes the chance that a risk will be realised and the negative impact will occur.
Business term: The likelihood of a realised risk occurring. This varies depending on the vulnerability that is exploited in any given circumstance. This can also vary over time as the list of most commonly exploited vulnerabilities changes with trends and the discovery of new vulnerabilities and exploits.
Tech term: Code introduced into an application unbeknownst to the application owner which circumvents the intended security policy. Not the same as malware.
Business term: Code usually added without the application owner’s permission, which circumvents security protocol or carries out actions that were never intended for the application. Usually, but not always added during development.
Tech term: Executable code that is introduced to an application at runtime without the knowledge of the application user or administrator.
Business term: Malicious code that is added whilst using a website or application.
Tech term: Software Assurance Security Model.
Business term: An open framework to help organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation.
Tech term: Open World Application Security Project.
Business term: A registered non-profit organisation engaging in research and raising awareness for application security.
Tech term: OWASP Application Security Verification Standard.
Business term: Guidelines that provide a basis for testing web application security controls.
Tech term: The possibility of a negative or undesirable occurrence.
Business term: To reduce risk, one can reduce the impact, reduce the likelihood, or both. Risks can also be accepted, meaning that the full impact of the negative outcome will be borne by the entity at risk. The impact and likelihood can be combined to create an estimate of severity.
Tech term: A value that represents a user’s identity during a session.
Tech term: Secure socket layer, deprecated in favour of TLS.
Business term: A popular protocol for establishing secure channels, superseded by TLS.
Tech term: Severity of a risk.
Business term: The severity combines the likelihood and impact components of a risk, into a single measure.
Tech term: Single Sign-On to access all computer resources in a session.
Business term: Allowing a user one login to a computer system that then allows the user to access all of the resources they require on that system without further need for security checks. This can often increase the security exposure of a system significantly.
Tech term: SQL Injection is a security vulnerability that occurs in the persistence/database layer of a web application.
Business term: Poor design and programming of a web system can allow malicious commands to be run against the systems database. This can allow the attacker to steal all and any data or to corrupt data, including login credentials for users and administrator accounts.
Tech term: An ethical computer hacker or security expert who specializes in testing methodologies to ensure the security of an organization’s information systems.
Tech term: When performing input validation, the set of items that, if matched, results in the input being accepted as valid.
Business term: A predetermined set of values for any given input field that will automatically be accepted as valid.
Tech term: The period of time in which a vulnerability can possibly be exploited.
Business term: If your website/app has a security vulnerability, this is the period of time from its discovery (possibly by exploitation) until the vulnerability has been fixed or the system taken down until a fix is available.
Whether you have a specific requirement, a question you'd like answered or would just like an informal chat, contact us.Contact us today