Application Security terms

30 terms

• Application Security (AppSec)

  The discipline of designing, building, testing and operating software so it resists abuse, tampering and unauthorized access throughout its lifecycle.

• Secure Software Development Lifecycle (SSDLC)

  A development lifecycle in which security activities are embedded into every phase, from requirements and design through coding, testing, release and operations.

• DevSecOps

  A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.

• Shift-Left Security

  The practice of moving security activities earlier in the software lifecycle so vulnerabilities are found and fixed before code reaches production.

• SAST (Static Application Security Testing)

  Automated analysis of source code, bytecode or binaries — without executing it — to find security weaknesses such as injection, unsafe APIs or insecure crypto.

• DAST (Dynamic Application Security Testing)

  Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.

• IAST (Interactive Application Security Testing)

  Application security testing that instruments a running application from the inside to observe code execution while it is being exercised by traffic or tests.

• SCA (Software Composition Analysis)

  Automated analysis of an application's open-source and third-party components to identify known vulnerabilities, license issues and outdated or risky dependencies.

• RASP (Runtime Application Self-Protection)

  A defense embedded inside a running application that monitors execution context and blocks malicious behavior, such as injection or deserialization attacks, in real time.

• Fuzz Testing

  An automated testing technique that feeds a program large amounts of malformed, random or unexpected input to uncover crashes, memory corruption and security vulnerabilities.

• Mutation Fuzzing

  A fuzz testing strategy that derives new test inputs by randomly mutating existing valid samples, such as flipping bits, inserting bytes or splicing files.

• Coverage-Guided Fuzzing

  A fuzzing technique that instruments the target to measure code coverage and evolves inputs that explore previously unseen paths, dramatically improving bug-finding efficiency.

• Symbolic Execution

  A program analysis technique that executes code with symbolic inputs rather than concrete values, building path constraints solved by an SMT solver to find bugs.

• Threat Modeling

  A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.

• Abuse Case

  Abuse Case — definition coming soon.

• Misuse Case

  Misuse Case — definition coming soon.

• Security Requirements

  Security Requirements — definition coming soon.

• Secure Coding

  Secure Coding — definition coming soon.

• Input Validation

  Input Validation — definition coming soon.

• Output Encoding

  Output Encoding — definition coming soon.

• Parameterized Query

  Parameterized Query — definition coming soon.

• Content Security Policy (CSP)

  Content Security Policy (CSP) — definition coming soon.

• Subresource Integrity (SRI)

  Subresource Integrity (SRI) — definition coming soon.

• HTTP Security Headers

  HTTP Security Headers — definition coming soon.

• CORS (Cross-Origin Resource Sharing)

  CORS (Cross-Origin Resource Sharing) — definition coming soon.

• SameSite Cookie

  SameSite Cookie — definition coming soon.

• Secure Cookie Flag

  Secure Cookie Flag — definition coming soon.

• HttpOnly Cookie Flag

  HttpOnly Cookie Flag — definition coming soon.

• Session Fixation

  Session Fixation — definition coming soon.

• API Security

  API Security — definition coming soon.