Glossary.

A

A

No items found.
API Discovery

API Discovery

Keywords

API sprawl is a common issue when building applications using microservices. Ease of deployment (i.e. using cloud services) and developer autonomy may lead to new API endpoints popping up without anyone's knowledge. Old API versions or deprecated APIs could still be available publicly when the development team thinks they've been shut down. API discovery is the act or service of systematically searching through to find all APIs currently in use or publicly available. Discovery is essential to API security since you can't protect an API if you don't know it exists or is in use.

API security

API security

Keywords

Modern web APIs are becoming more prevelant as web applications embrace flexibility and scalability. Web APIs introduce a new set of security vulnerabilities that security teams must account for to keep their APIs, data, and users safe.

ATO

ATO

Concepts

ATO, or Account Takeover, is the act of compromising a victim's account in order to impersonate them to a web application and steal or modify data. There are several flaws that can lead to ATO, such as poor authentication and authorization implementation, broken object level authorization, broken function level authorization, and poor password/secrect management practices. ATO is a highly dangerous attack and should be a priority for development teams to prevent.

Advanced Rate Limiting

Advanced Rate Limiting

Concepts

Rate limiting is a technique used by APIs to limit the amount or size of client requests. It's used to prevent ATO, bruteforce attacks, DoS and DDos attacks. When a client reaches the designated limits, requests from that client are temporarily rejected. Lack of proper rate limiting is a risk on the OWASP API Top 10.

Application firewall

Application firewall

Keywords

see "waf/web application firewall"

Application security

Application security

Keywords

Application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of software applications and their data. There are several types of software applications, such as web, mobile, native clients (i.e Windows Store apps), and command line. Each type of application has a different threat model and must apply different principles and tactics to secure it.

Artificial Intelligence

Artificial Intelligence

Technologies

Artificial intelligence is intelligence displayed by machines. There are several branches of AI, each with a focus on allowing machines to make decisions and learn without human intervention. Machine learning is a common application of AI. Others include computer vision and natural language processing. Autonomous self-driving vehicles are an example of the practical application of AI technologies.

B

B

No items found.
Bad/Threat actor

Bad/Threat actor

Concepts

A bad actor or threat actor tries to infiltrate a web application with the goal of stealing data, modifying data, or other malicious act for personal gain. This term is used in threat modeling to help discover those who may have reason to launch attacks against an application and what techniques they might use.

Bot Attack

Bot Attack

Concepts

A "bot" is a compromised machine used to attack another application or system. Many types of DDoS attacks are performed by armies of bots made up of compromised IoT and other connected devices. Poor security used on these devices make it easy to compromise them and then use them to overload a website or API with traffic.

Broken Access Control

Broken Access Control

OWASP

Authentication is identifying who is accessing an application. Authorization is enforcing what they're allowed to do while logged in. It's a critical distinction as broken access control allows attackers to gain access to data or functions they shouldn't. They can view and/or modify other users' accounts or steal data.What to look for in your code:* Modifying the URL or HTML page to bypass access control checks* Allowing the request's ID to be changed to the account number of another user's account.* Elevation of privilege. Can a user act as an admin by modifying the request?* APIs with missing access controls for POST, PUT, and DELETE HTTP verbs.

Broken Authentication

Broken Authentication

OWASP

A flaw allowing an attacker to assume other users' identities temporarily or permanently by compromising passwords, keys, or session tokens.What to look for in your code:* Storing passwords in plaintext, encrypted, or poorly hashed* Poor session management* Permits brute force or other automated attacks* Weak or ineffectual credential recovery processes* Missing or ineffective multi-factor authentication

Broken Function Level Authorization

Broken Function Level Authorization

OWASP

The number of API endpoints and complex authorization hierarchies and mechanisms can lead to authorization flaws. Attackers can exploit these flaws to gain access to other users' resources and/or administrative functions.What to look for in your code:* Can a regular user access administrative endpoints?• Can a user perform sensitive actions (e.g., creation, modification, or erasure) that they should not haveaccess to by simply changing the HTTP method (e.g., from GET to DELETE)?• Can a user from group X access a function that should be exposed only to users from group Y, by simplyguessing the endpoint URL and parameters (e.g., /api/v1/users/export_all)?

Broken Object Level Authorization

Broken Object Level Authorization

OWASP

APIs often use object identifiers to access resources. This opens the application to attack by changing the object identifiers within the URLs or request bodies to gain unauthorized access to resources. For example, a medical application is vulnerable to BOLA if a patient can change the identifier in the URL and view another patient's data. Authorization checks must be done on every request to verify that the user requesting the resource has access to that resource.What to look for in your code:* Insufficient authorization checks for requests that include object identifiers

Broken User Authentication

Broken User Authentication

OWASP

See "Broken Authentication"

C

C

No items found.
CI/CD

CI/CD

Concepts

Continuous Integration/Continuous Delivery refers to a mode of operation and a suite of tools used to regularly build and deploy applications to staging and production environments. Continuous integration is the practice of building code and running tests every time a developer checks in code changes. This ensures any new bugs are found and resolved quickly and no existing functionality is broken by new code. Continuous Delivery is the practice of always being in a "ready to deploy to production" state. Typically the code is deployed and tested in a staging area. Then a product owner (or other designated party) approves a deployment to production and automated processes take over to deploy the application. Another "CD" you may encounter is Continuous Deployment, where changes are automatically deployed to production every time a developer checks in code.

Cloud native security

Cloud native security

Keywords

Cloud-native security is the discipline of securing cloud-native applications. Cloud-native technologies have many benefits, but they also introduce new  avenues of attack. Application security has to change to properly protect cloud-native applications from sophisticated attacks.

Links

Cloud-native

Cloud-native

Technologies

Cloud-native technologies, such as containers, service meshes, microservices, immutable infrastructure, and declarative APIs, empower developers to build and run scalable applications on public, private, and hybrid clouds.Cloud-native architecture focuses on creating loosely coupled services with high resiliency. Developers can make changes frequently without negatively impacting the entire system.

Links

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

OWASP

XSS the is act of running arbitrary scripts in a victim's browser in order to deface websites, compromise sessions, or redirect users to malicious websites (usually to steal data for use in identity theft or account takeover). The vulnerability lies in using untrusted data to render HTML pages without validating, sanitizing, and escaping the values.What to look for in your code:* Including unvalidated and unescaped user input in HTML output.* Storing unvalidated and unescaped user input for later use in HTML output (i.e. a forum post or comment)* SPA frameworks that dynamically update the HTML of a page based on unvalidated and unescaped input

D

D

No items found.
DAST

DAST

Technologies

Dynamic Application Security Testing tools mimic a penetration tester. They perform attacks against a running application to find vulnerabilities attackers can exploit. They typically spider an application to find different paths to resources and then send payloads to try to exploit various common vulnerabilities. They report on the results, whether the attacks were successful or the application successfully resisted. DAST tools lack understanding of business logic and thus have trouble finding authentication and authorization vulnerabilities.

Links

DDoS

DDoS

Concepts

Distributed Denial of Service (DDoS) attacks are denial of service attacks performed by many distributed nodes across the Internet. A denial of service occurs when an attacker brings down a website so that legitimate users cannot access it. DDoS is often performed by armies of bots pointed at one website. DDoS attacks are often used for political statements or to embarass and hurt the revenue of a company.

DevOps

DevOps

Concepts

DevOps is a movement and philosophy with the goal of delivering software application faster and with more reliability than traditional modes of operation. DevOps brings together the development and operations disciplines to achieve maximum flexibility, scalability, and reliability of software applications. Automation, collaboration, and fast feedback cycles are the core tenets of DevOps.

DevSecOps

DevSecOps

Concepts

DevSecOps adds the security discipline to DevOps. Security teams work in collaboration with development and operations to ensure that environments and applications stay secure. For instance, DevOps focuses on repeatable processes for creating application environments on demand and deploying code to them. DevSecOps includes security so each new environment created is locked down by default and safe for deployment without any manual configuration required.

E

E

No items found.
Excessive Data Exposure

Excessive Data Exposure

OWASP

APIs tend to return all data fields held within an object, expecting the client to filter and show the data it needs. This data exposure can aid in attacking the application or lead to data breaches. For example, returning the address with a user object with every request or exposing an "admin" field an attacker may try to manipulate using other means.What to look for in your code:* API methods that return raw objects from the ORM with all fields included.

I

I

No items found.
IAST

IAST

Technologies

Interactive Application Security Testing tools are a relatively new addition to the web application security landscape. IAST tools aim to combine the benefits of SAST and DAST to create a more complete picture of application vulnerabilities. IAST tools are embedded within the application and have visibility into the code. While the application runs automated functional tests within a staging environment, IAST will search code execution paths for possible vulnerabilties. Some may even try to perform attacks on parts of the code that may be vulnerable to validate errors and reduce false positives. A downside of IAST is the heavy dependency on a large suite of automated functional tests, which may make it difficult to use in legacy applications.

Improper Assets Management

Improper Assets Management

OWASP

API proliferation can cause poor documentation and old API endpoints to be exposed, which lead to vulnerabilities in endpoints you didn't know were exposed publicly. Warning signs:* Outdated API inventory* API endpoints with unclear purposes* No retirement plan for old API versions

Injection

Injection

OWASP

Injection occurs when untrusted data is sent to an interpreter as a command or query. Interpreters execute code as it comes in, instead of compiling it into an executable. This distinction means that interpreters can be easily tricked into using data as a command. Attackers use these flaws to steal data. Common injections include SQL, NoSQL, LDAP, OS, and ORM. What to look for in your code:* User-supplied data isn't validated, filtered or sanitized* Untrusted data is sent directly to the interpreter (i.e. concatenated to an SQL query)* Untrusted data is sent directly into an ORM search function

Insecure Deserialization

Insecure Deserialization

OWASP

Serialization changes the format of an object in code to make sending it to a server more efficient. The server then deserializes the object upon receipt so it can process the request. Insecure deserialization of objects allows attackers to make calls to system resources upon deserialization. This vulnerability leads to remote code execution along with replay attacks, injection attacks, and privilege escalation attacks.What to look for in your code:* Accepting serialized objects from untrusted sources* Using serialization mediums that permit more than primitive data types.

Insufficient Logging & Monitoring

Insufficient Logging & Monitoring

OWASP

An attack typically goes unnoticed for over 200 days. Insufficient logging and monitoring allows attackers to persist longer, leading to devestating data exfiltration and destruction.What to look for in your code:* Poor integration between logging and incident response teams* Not logging login attempts, login failures, and high-value transactions* No monitoring of log files* Log messages are unclear or two broad in language to be useful

L

L

No items found.
Lack of Resources & Rate Limiting

Lack of Resources & Rate Limiting

OWASP

APIs that don't limit the size or number of resources a user/client can request leave themselves open to denial of service and brute force attacks.Limits you should enforce:* Execution timeouts* Max allocable memory* Number of file descriptors* Number of processes* Request payload size (e.g. uploads)* Number of requests per client/resource* Number of records per page to return in a single request response

M

M

No items found.
Machine Learning

Machine Learning

Technologies

Machine learning is a branch of artificial intelligence that studies computer algorithms that are able to learn from experience. They do this by analyzing large amounts of data and using that data to build statistical models. The program can use the models to make predictions, take action, and learn from that action.

Mass Assignment

Mass Assignment

OWASP

Objects in modern applications have many properties, but not all the properties should be updated directly by a client. A mass assignment flaw exists when an API endpoint automatically converts client parameters into internal object properties without considering the sensitivity of the properties. What to look for in your code:* Using objects instead of viewmodels within your API endpoints* Relying on frameworks to assign property values taken from parameters and request bodies

Microservices

Microservices

Technologies

Microservices are small services that together make up an entire web application or API. They take the "do one thing exceptionally well" mantra of Unix/Linux development and apply it to software applications. In a microservice architecture, one request to a site may result in dozens or even hundreds of separate requests to focused microservices on the back end. Advantage of microservice architecture include increased speed of development, flexibility, developer autonomy, and scalability.

Links

N

N

No items found.
Next Generation WAF

Next Generation WAF

Technologies

Next Generation WAFs, or NG-WAFs, are WAFs with added features to help overcome the shortcomings of rules-based security. NG-WAFs add ML features such as behavior analysis and anomaly detection to find and prevent attacks traditional WAFs miss. NG-WAFs are also more compatible with cloud-native applications.

Links

R

R

No items found.
RASP / Runtime Application Self Protection

RASP / Runtime Application Self Protection

Technologies

If WAFs serve as the moat of the castle, Runtime Application Self-Protection (RASP) tools are the castle guards. RASP is deployed within the runtime environment of the web application. It's able to see and change application behavior to prevent attacks in realtime.

Links

Rest api security

Rest api security

Keywords

see "api security"

S

S

No items found.
SAST

SAST

Technologies

Static Application Security Testing is the process of scanning application code to find possible vulnerabilities. The term "static" refers to the testing of precompiled code to detect programming patterns that could lead to exploitation. For example, a SAST tool may find concatenation of untrusted input within the code and flag it as a possible SQL injection vulnerability. A downside of SAST is a tendency for false positives since code that looks incorrect may not be a vulerability.

SQL Injection

SQL Injection

OWASP

See "Injection"

Security Misconfiguration

Security Misconfiguration

OWASP

Web application frameworks often have many options for developers to choose from that affect how they operate. This choice leads to misconfiguration, as making the wrong decision (or leaving unsecure defaults) leaves security holes attackers use to steal data or otherwise compromise the application.What to look for in your code:* Missing or misconfigured security headers* The use of default values* Revealing stack traces when errors occur

Security Posture

Security Posture

Concepts

A security posture is the overall "grade" of security for an organization. It includes all security controls an organization has in place as well as the way the organization detects and defends against cyber attacks. A security posture takes into account network, software and hardware assets, services, and information.

Sensitive Data Exposure

Sensitive Data Exposure

OWASP

Many applications don't protect sensitive data, such as financial, healthcare, or PII. Attackers can steal or modify this data to perform credit card fraud and identity theft. Sensitive data requires extra protection, such as encryption in transit and at rest.What to look for in your code:* Transmitting data in plaintext, such as using HTTP, FTP, and SMTP.* Using old or broken encryption algorithms* Poor cryptographic key management

Serverless

Serverless

Technologies

Serverless computing is the ability to run code within a cloud environment without worrying about server configuration and deployment. It's not truly "serverless," but rather features an interface for developers to write and run code without provisioning and configuring servers. From the developer's point of view, the code just runs when required. AWS Lambda is an example of serverless computing.

Shadow APIs

Shadow APIs

Concepts

Shadow APIs are unknown APIs that are publicly exposed. These APIs pose a risk because APIs that no one knows are publicly exposed could be a target for attackers. API discovery tools can help find shadow APIs so you can properly protect them or shut them down if they're unnecessary.

T

T

No items found.
Threat landscape

Threat landscape

Concepts

A threat landscape is a group of threats within a given context or environment. It includes threat actors, risks, vulnerable assets, and current and emerging trends.

U

U

No items found.
Using Components with Known Vulnerabilities

Using Components with Known Vulnerabilities

OWASP

Most applications use open source or third-party frameworks to achieve desired functionality. These components run at the same privilege level as the application. Therefore, if vulnerabilities exist within the components your application depends on, they can perform server takeover or steal data.What to look for in your code:* No up-to-date record of the components in use* No mechanism to update components when patches are released* Using vulnerable, unsupported, or out-of-date software

W

W

No items found.
WAAP / Web Application & API Protection

WAAP / Web Application & API Protection

Keywords

Web application and API Protection services protect modern web applications and APIs from a variety of attacks. WAAP services include NG-WAF and RASP capabilities along with Distributed Denial of Service (DDoS) protection and malicious bot detection. WAAP aims to meet the security needs of modern, API and microservice-based web applications.

WAF / Web Application Firewall

WAF / Web Application Firewall

Technologies

Web application firewalls take the idea of network firewalls and apply them to web applications. It scans all traffic coming into a web application to find possible attacks, such as cross-site scripting and SQL injection. WAFs use rules and signatures to know what to look for within the request that flags it as a possible attack.

Links

Web api security

Web api security

Keywords

see "api security"

Web application security

Web application security

Keywords

Web application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of web applications. Web applications are the most common way for customers to interact with businesses and they are a juicy target for attackers. Web application security seeks to protect web applications by hardening network, code, and infrastructure against attack.

X

X

No items found.
XML External Entities (XXE)

XML External Entities (XXE)

OWASP

Applications that accept XML content (i.e. XML uploads) may use vulnerable XML processors that evaluate external entity references. Attackers exploit this vulnerability to perform many attacks, such as remote code execution, denial of service attacks, and disclosing internal files.What to look for in your code:* Having document type definitions (DTDs) enabled in an XML processor* Accepting XML directly, or XML uploads from an untrusted source* Using SOAP prior to version 1.2