Appendix A - Glossary
A technique to make exploiting memory corruption bugs more difficult.
Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.
The technical assessment of an application against the OWASP MASVS.
A report that documents the overall results and supporting analysis produced by the verifier for a particular application.
The verification of the claimed identity of an application user.
The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems.
It is a method of software testing that examines the functionality of an application without peering into its internal structures or workings.
a self-contained unit of code, with associated disk and network interfaces that communicates with other components.
A security vulnerability typically found in web applications allowing the injection of client-side scripts into content.
Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.
CWE is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state.
The technical assessment of the security architecture of an application.
The use of automated tools that use vulnerability signatures to find problems during the execution of an application.
a unique reference number used as an identifier in software.
An application protocol for distributed, collaborative, hypermedia information systems. It is the foundation of data communication for the World Wide Web.
Cryptographic keys which are stored in the device itself.
Inter Process Communications,In IPC Processes communicate with each other and with the kernel to coordinate their activities.
The canonicalization and validation of untrusted user input.
Java bytecode is the instruction set of the Java virtual machine(JVM). Each bytecode is composed of one, or in some cases two bytes that represent the instruction (opcode), along with zero or more bytes for passing parameters.
Code introduced into an application during its development unbeknownst to the application owner, which circumvents the application's intended security policy. Not the same as malware such as a virus or worm!
Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: https://www.owasp.org/
PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Position-independent executable (PIE) is a body of machine code that, being placed somewhere in the primary memory, executes properly regardless of its absolute address.
A PKI is an arrangement that binds public keys with respective identities of entities. The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).
Static application security testing (SAST) is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.
Software development lifecycle.
An abstraction of an application's design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.
The runtime configuration of an application that affects how security controls are used.
A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record).
A code injection technique used to attack data driven applications, in which malicious SQL statements are inserted into an entry point.
Single Sign On(SSO) occurs when a user logs in to one Client and is then signed in to other Clients automatically, regardless of the platform, technology, or domain the user is using. For example when you log in in google you automatically login in the youtube , docs and mail service.
A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
Cryptographic protocols that provide communication security over the Internet
A Uniform Resource Identifier is a string of characters used to identify a name or a web resource. A Uniform Resource Locator is often used as a reference to a resource.
Traditionally a test environment that behaves like the production environment where all software testing is performed before going live.
The person or team that is reviewing an application against the OWASP MASVS requirements.
A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.
An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.