DevSecOps Definitions
-
A
access control list (ACL)
An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file.
-
application firewall
An application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer... (Continued)
-
application security
Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats.
-
authorization
Authorization is the process of giving someone permission to do or have something.
-
B
bug
In computer technology, a bug is a coding error in a computer program.
-
C
CGI scanner
A CGI (common gateway interface) scanner is a program that searches for known vulnerabilities in Web servers and application programs by testing HTTP requests against known CGI strings... (Continued)
-
code review
Code review is a phase in the computer program development process in which the authors of code, peer reviewers, and perhaps quality assurance reviewers get together to review code, line by line... (Continued)
-
command injection
Command injection is the insertion of HTML code into dynamically generated output by a malevolent hacker (also known as a cracker) seeking unauthorized access to data or network resources...
-
cross-site request forgery (XSRF or CSRF)
Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user... (Continued)
-
cross-site tracing (XST)
Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS... (Continued)
-
D
dynamic analysis
Dynamic analysis is the testing and evaluation of a program based on execution with selected data... (Continued)
-
H
Higgins Trust Framework (HTF)
The Higgins Trust Framework (HTF) is an API (application program interface) that allows end users to store identity information in locations of their choice and share portions of that information anonymously with online vendors and service providers in a controlled manner... (Continued)
-
I
integer overflow
Integer overflow is the result of trying to place into computer memory an integer (whole number) that is too large for the integer data type in a given system.
-
L
LDAP injection
LDAP injection is a type of security exploit that is used to compromise the authentication process used by some websites. Websites that construct Lightweight Directory Access Protocol (LDAP) statements from data provided by users are vulnerable to this type of attack.
-
O
obfuscation (obfu)
Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In a programming context, it means to make code harder to understand or read.
-
OS commanding
OS commanding is a method of attacking a Web server by remotely gaining access to the operating system (OS) and then executing system commands through a browser... (Continued)
-
Q
quality gate
A quality gate is a milestone in an IT project that requires that predefined criteria be met before the project can proceed to the next phase.
-
R
regular expression (regex)
A regular expression (sometimes abbreviated to "regex") is a way for a computer user or programmer to express how a computer program should look for a specified pattern in text and then what the program is to do when each pattern match is found.
-
S
session hijacking (TCP session hijacking)
Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user... (Continued)
-
session ID
A session ID is a unique number that a Web site's server assigns to identify a specific user for the duration of that user's visit (session)...
-
session prediction (credential/session prediction)
Session prediction, also called credential/session prediction, is a method of surreptitiously obtaining data (called a session ID) about an authorized visitor to a Web site... (Continued)
-
smoke testing
Smoke testing, also called build verification testing or build acceptance testing, is nonexhaustive software analysis that ascertains that the most crucial functions of a program work but does not delve into finer details.
-
software resilience testing
Software resilience testing is a method of software testing that focuses on ensuring that applications will perform well in real-life or chaotic conditions.
-
source code analysis
Source code analysis is the automated testing of source code for the purpose of debugging a computer program or application before it is distributed or sold.
-
SQL injection
A SQL injection (SQLi) is a security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box in order to gain access to unauthorized resources or make changes to sensitive data.
-
SSI injection
SSI injection is a form of attack that can be used to compromise Web sites that contain SSI (server-side include) statements... (Continued)
-
systems development life cycle (SDLC)
The systems development life cycle (SDLC) is a conceptual model used in project management that describes the stages involved in an information system development project, from an initial feasibility study through maintenance of the completed application.
-
T
Trusted Computing Group (TCG)
The Trusted Computing Group (TCG) is a not-for-profit organization that was formed in 2003 to define, develop and promote security specifications for computers and networks...(Continued)
-
V
vulnerability scanner
A vulnerability scanner is a program that performs the diagnostic phase of a vulnerability analysis, also known as vulnerability assessment... (Continued)
-
W
Web Application Security Consortium (WASC)
The Web Application Security Consortium (WASC) is a worldwide organization devoted to the establishment, refinement and promotion of Internet security standards.
-
WS-SecureConversation (Web Services Secure Conversation Language)
WS-SecureConversation, also called Web Services Secure Conversation Language, is a specification that provides secure communication between Web services using session keys. WS-SecureConversation, released in 2005, is an extension of WS-Security and WS-Trust. (Continued...)
-
X
XML bomb
An XML (Extensible Markup Language) bomb is a small but dangerous message that is composed and sent with the intent of overwhelming the program that parses XML files... (Continued)