Skip to content

Commit

Permalink
Updated Glossary to Resolve #2100 (#2200)
Browse files Browse the repository at this point in the history
* Updated Glossary to Resolve #2100

* Additional updates

---------

Co-authored-by: Josh Grossman <tghosth@users.noreply.github.com>
  • Loading branch information
ryarmst and tghosth authored Oct 28, 2024
1 parent 8cccc80 commit a4de840
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions 5.0/en/0x90-Appendix-A_Glossary.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Appendix A: Glossary

* **Absolute Maximum Session Lifetime** - Also referred to as "Overall Timeout" by NIST, this is the maximal amount of time a session can remain active following authentication regardless of user interaction. This is a component of session expiration.
* **Address Space Layout Randomization** (ASLR) – A technique to make exploiting memory corruption bugs more difficult.
* **Allowlist** – A list of permitted data or operations, for example, a list of characters that are allowed to perform input validation.
* **Application Security** – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.
Expand All @@ -11,6 +12,7 @@
* **Component** – a self-contained unit of code, with associated disk and network interfaces that communicates with other components.
* **Cross-Site Scripting** (XSS) – A security vulnerability typically found in web applications allowing the injection of client-side scripts into content.
* **Cryptographic module** – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.
* **Cryptographically Signed Token** - These tokens will generally contain claims or assertions encoded within the token structure, with cryptographic techniques such as signatures or message authentication codes (MAC) used to verify the authenticity and integrity of this data. The most common examples are SAML assertions and JWTs.
* **Common Weakness Enumeration** (CWE) - A community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and a baseline for weakness identification, mitigation, and prevention efforts.
* **Design Verification** – The technical assessment of the security architecture of an application.
* **Dynamic Application Security Testing** (DAST) - Technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state.
Expand All @@ -21,7 +23,9 @@
* **Hardcoded keys** – Cryptographic keys that are stored on the filesystem, be it in code, comments or files.
* **Hardware Security Module** (HSM) - Hardware component that stores cryptographic keys and other secrets in a protected manner.
* **Hibernate Query Language** (HQL) - A query language that is similar in appearance to SQL used by the Hibernate ORM library.
* **Inactivity Timeout** - This is the length of time a session can remain active in the absence of user interaction with the application. This is a component of session expiration.
* **Input Validation** – The canonicalization and validation of untrusted user input.
* **JSON Web Token** (JWT) - RFC 7519 defines a standard for a JSON data object made up of a header section which explains how to validate the object, a body section containing a set of claims, and a signature section which contains a digital signature which can be used to validate the contents of the body section.
* **Malicious Code** – Code introduced into an application during its development unbeknownst to the application owner, which circumvents the application's intended security policy. Not the same as malware such as a virus or worm!
* **Malware** – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.
* **Open Worldwide Application Security Project** (OWASP) – The Open Worldwide Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: [https://www.owasp.org/](https://www.owasp.org/).
Expand All @@ -32,7 +36,9 @@
* **Position-independent executable** (PIE) - A body of machine code that, being placed somewhere in the primary memory, executes properly regardless of its absolute address.
* **Public Key Infrastructure** (PKI) - An arrangement that binds public keys with respective identities of entities. The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).
* **Public Switched Telephone Network** (PSTN) - The traditional telephone network that includes both fixed-line telephones and mobile telephones.
* **Random Session Token** - A random session token is randomly generated by the application as a session identifier to be issued to clients as part of a stateful session mechanism.
* **Relying Party** (RP) - Generally an application which is relying on a user having authenticated against a separate authentication provider. The application relies on some sort of token or set of signed assertions provided by that authentication provider to trust that the user is who they say they are.
* **Security Assertion Markup Language** (SAML) - An open standard for single sign-on authentication based on passing signed assertions (usually XML objects) between the identity provider and the relying party.
* **Static application security testing** (SAST) - A set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.
* **Software development lifecycle** (SDLC) - The step-by-step process by which software is developed going from the initial requirements to deployment and maintenance.
* **Security Architecture** – An abstraction of an application's design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.
Expand All @@ -42,6 +48,8 @@
* **Single Sign-on Authentication** (SSO) - This occurs when a user logs into one application and is then automatically logged into other applications without having to re-authenticate. For example, when you log into Google, you will be automatically logged into other Google services such as YouTube, Google Docs, and Gmail.
* **Software Composition Analysis** (SCA) - A set of technologies designed to analyze application composition, dependencies, libraries and packages for security vulnerabilities of specific component versions in use. This is not to be confused with source-code analysis which is now commonly referred to as SAST.
* **SQL Injection** (SQLi) – A code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry point.
* **Stateful Session Mechanism** - In a stateful session mechanism, the application retains session state at the back end which typically corresponds to a random session identifier which is issued to the end user.
* **Stateless Session Mechanism** - A stateless session mechanism will use a cryptographically signed token which is passed to clients, and contains session information that is not necessarily stored within the service which then receives and validates the token. In reality, a service will need to have access to some session information (such as a JWT revocation list) in order to be able to enforce required security controls.
* **SVG** - Scalable Vector Graphics.
* **Time-based OTP** - A method of generating an OTP where the current time acts as part of the algorithm to generate the password.
* **Threat Modeling** - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
Expand Down

0 comments on commit a4de840

Please sign in to comment.