\u25cfAccess Control\u2013 A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and\/or groups to which they belong.<\/p>\n\n\n\n
\u25cfAddress\nSpace Layout Randomization (ASLR)\u2013 A\ntechnique to help protect against buffer overflow attacks.<\/p>\n\n\n\n
\u25cfApplication Security\u2013 Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.<\/p>\n\n\n\n
\u25cfApplication\nSecurity Verification\u2013 The\ntechnical assessment of an application against the OWASP ASVS.<\/p>\n\n\n\n
\u25cfApplication Security Verification Report\u2013 A report that documents the overall results and supporting analysis produced by the verifier for a particular application.<\/p>\n\n\n\n
\u25cfAuthentication\u2013\nThe\nverification of the claimed identity of an application\nuser.\u25cfAutomated\nVerification\u2013 The\nuse of automated tools (either dynamic analysis tools, static\nanalysis tools,or both) that use vulnerability signatures to find\nproblems.<\/p>\n\n\n\n
\u25cfBack\nDoors\u2013 A\ntype of malicious code that allows unauthorized access to an\napplication.<\/p>\n\n\n\n
\u25cfBlacklist\u2013 A list of data or operations that are not permitted, for example a list of characters that are not allowed as input.<\/p>\n\n\n\n
\u25cfCascading Style Sheets(CSS) – A style sheet language used for describing the presentation semantics of document written in a markup language, such as HTML.\u25cfCertificate Authority(CA) \u2013 An entity that issues digital certificates.<\/p>\n\n\n\n
\u25cfCommunication Security\u2013 The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application.<\/p>\n\n\n\n
\u25cfComponent\u2013 a self-contained unit of code, with associated disk and network interfaces that communicates with other components.<\/p>\n\n\n\n
\u25cfCross-Site Scripting(XSS) \u2013 A security vulnerability typically found in web applications allowing the injection of client-side scripts into content.<\/p>\n\n\n\n
\u25cfCryptographic module\u2013 Hardware, software, and\/or firmware that implements cryptographic algorithms and\/or generates cryptographic keys.<\/p>\n\n\n\n
\u25cfDenial\nof Service (DoS) Attacks\u2013 The\nflooding of an application with more requests than it can handle.<\/p>\n\n\n\n
\u25cfDesign\nVerification\u2013 The\ntechnical assessment of the security architecture of an application.<\/p>\n\n\n\n
\u25cfDynamic Verification\u2013 The use of automated tools that use vulnerability signatures to find problems during the execution of an application.<\/p>\n\n\n\n
\u25cfEaster\nEggs\u2013 A\ntype of malicious code that does not run until a specific user input\nevent occurs.<\/p>\n\n\n\n
\u25cfExternal\nSystems\u2013 A\nserver-side application or service that is not part of the\napplication.<\/p>\n\n\n\n
\u25cfFIPS 140-2\u2013 A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules\u25cfGlobally Unique Identifier(GUID) \u2013 a unique reference number used as an identifier in software.OWASP Application Security Verification Standard 3.064<\/p>\n\n\n\n
\u25cfHyperText Markup Language (HTML)- The main markup language for the creation of web pages and other information displayed in a web browser.<\/p>\n\n\n\n
\u25cfHyper Text Transfer Protocol(HTTP) \u2013 An application protocol for distributed, collaborative, hypermedia information systems. It is the foundation of data communication for the World Wide Web.<\/p>\n\n\n\n
\u25cfInput Validation\u2013 The canonicalization and validation of un-trusted user input.<\/p>\n\n\n\n
\u25cfLightweight Directory Access Protocol (LDAP)\u2013 An application protocol for accessing and maintaining distributed directory information services over a network.<\/p>\n\n\n\n
\u25cfMalicious Code\u2013 Code introduced into an application during its development unbeknownst to the application owner, which circumvents the application\u2019s intended security policy. Not the same as malware such as a virus or worm!<\/p>\n\n\n\n
\u25cfMalware\u2013 Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.<\/p>\n\n\n\n
\u25cfOpen Web Application Security Project(OWASP) \u2013 The Open Web Application Security Project (OWASP)is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible,” so that people and organizations can make informed decisions about application security risks. See: http:\/\/www.owasp.org\/<\/a><\/p>\n\n\n\n \u25cfOutput encoding\u2013 The canonicalization and validation of application output to Web browsers and to external systems.<\/p>\n\n\n\n \u25cfPersonally Identifiable Information(PII) – is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.<\/p>\n\n\n\n \u25cfPositive\nValidation\u2013\nSee\nwhitelist.<\/p>\n\n\n\n \u25cfSecurity Architecture\u2013 An abstraction of an application\u2019s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.<\/p>\n\n\n\n \u25cfSecurity Configuration\u2013 The runtime configuration of an application that affects how security controls are used.<\/p>\n\n\n\n \u25cfSecurity\nControl\u2013 A\nfunction or component that performs a security check (e.g. an access\ncontrol check)or when called results in a security effect (e.g.\ngenerating an audit record).<\/p>\n\n\n\n \u25cfSQL Injection (SQLi)\u2013 A code injection technique used to attack data driven applications, in which malicious SQL statements are inserted into an entry point.<\/p>\n\n\n\n \u25cfStatic Verification\u2013 The use of automated tools that use vulnerability signatures to find problems in application source code.<\/p>\n\n\n\n \u25cfTarget of Verification (TOV)\u2013 If you are performing application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the\u201cTarget of Verification\u201d or simply the TOV.<\/p>\n\n\n\n \u25cfThreat Modeling- A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.<\/p>\n\n\n\n \u25cfTransport Layer Security\u2013 Cryptographic protocols that provide communication security over the Internet OWASP Application Security Verification Standard 3.065<\/p>\n\n\n\n \u25cfURI\/URL\/URL fragments\u2013 A Uniform Resource Identifier is a string of characters used to identify a name or a web resource. A Uniform Resource Locator is often used as a reference to a resource.<\/p>\n\n\n\n \u25cfUser acceptance testing (UAT)\u200b\u2013 Traditionally a test environment that behaves like the production environment where all software testing is performed before going live.<\/p>\n\n\n\n \u25cfVerifier-\nThe person or team that is reviewing an application against the OWASP\nASVS requirements.<\/p>\n\n\n\n \u25cfWhitelist\u2013 A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<\/p>\n\n\n\n \u25cfXML\u2013\nA\nmarkup language that defines a set of rules for encoding documents<\/p>\n","protected":false},"excerpt":{"rendered":" \u25cfAccess Control\u2013 A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and\/or groups to which they belong. \u25cfAddress Space Layout Randomization (ASLR)\u2013 A technique to help protect against buffer overflow attacks. \u25cfApplication Security\u2013 Application-level security focuses on the analysis of components that comprise the application layer … Continue reading KUP Assessments Glossary<\/span>