Appendix A - Glossary

Address Space Layout Randomization (ASLR)

A technique to make exploiting memory corruption bugs more difficult.

Application Security

Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.

Application Security Verification

The technical assessment of an application against the OWASP MASVS.

Application Security Verification Report

A report that documents the overall results and supporting analysis produced by the verifier for a particular application.

Authentication

The verification of the claimed identity of an application user.

Automated Verification

The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems.

Black box testing

It is a method of software testing that examines the functionality of an application without peering into its internal structures or workings.

Component

a self-contained unit of code, with associated disk and network interfaces that communicates with other components.

Cross-Site Scripting (XSS)

A security vulnerability typically found in web applications allowing the injection of client-side scripts into content.

Cryptographic module

Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.

CWE

CWE is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

DAST

Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state.

Design Verification

The technical assessment of the security architecture of an application.

Dynamic Verification

The use of automated tools that use vulnerability signatures to find problems during the execution of an application.

Globally Unique Identifier(GUID)

a unique reference number used as an identifier in software.

Hyper Text Transfer Protocol(HTTP)

An application protocol for distributed, collaborative, hypermedia information systems. It is the foundation of data communication for the World Wide Web.

Hardcoded keys

Cryptographic keys which are stored in the device itself.

IPC

Inter Process Communications,In IPC Processes communicate with each other and with the kernel to coordinate their activities.

Input Validation

The canonicalization and validation of untrusted user input.

JAVA Bytecode

Java bytecode is the instruction set of the Java virtual machine(JVM). Each bytecode is composed of one, or in some cases two bytes that represent the instruction (opcode), along with zero or more bytes for passing parameters.

Malicious Code

Code introduced into an application during its development unbeknownst to the application owner, which circumvents the application's intended security policy. Not the same as malware such as a virus or worm!

Malware

Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: https://www.owasp.org/

Personally Identifiable Information (PII)

PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

PIE

Position-independent executable (PIE) is a body of machine code that, being placed somewhere in the primary memory, executes properly regardless of its absolute address.

PKI

A PKI is an arrangement that binds public keys with respective identities of entities. The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).

SAST

Static application security testing (SAST) is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.

SDLC

Software development lifecycle.

Security Architecture

An abstraction of an application's design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.

Security Configuration

The runtime configuration of an application that affects how security controls are used.

Security Control

A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record).

SQL Injection (SQLi)

A code injection technique used to attack data driven applications, in which malicious SQL statements are inserted into an entry point.

SSO Authentication

Single Sign On(SSO) occurs when a user logs in to one Client and is then signed in to other Clients automatically, regardless of the platform, technology, or domain the user is using. For example when you log in in google you automatically login in the youtube , docs and mail service.

Threat Modeling

A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.

Transport Layer Security

Cryptographic protocols that provide communication security over the Internet

URI and URL

A Uniform Resource Identifier is a string of characters used to identify a name or a web resource. A Uniform Resource Locator is often used as a reference to a resource.

User acceptance testing (UAT)

Traditionally a test environment that behaves like the production environment where all software testing is performed before going live.

Verifier

The person or team that is reviewing an application against the OWASP MASVS requirements.

Whitelist

A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.

X.509 Certificate

An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.