Manufacturing to meet an immediate requirement, not in surplus or in advance of need.

Controlling who has access to a computer or online service and the information it stores.

Application penetration testing is a type of penetration testing that focuses on identifying vulnerabilities that may be introduced during the development or deployment of an application. The application tested could be a mobile, thick client, or web based.

Modes of testing could include:

• Static analysis of code
• Dynamic analysis of the application while running
• Interactive analysis of both

The scope of application testing should be based on multiple considerations to ensure all potential threat vectors are analyzed. Identified vulnerabilities are then verified and remediation efforts are prioritized according to risk in order to reduce the likelihood that the application will be compromised.

Application security testing guides the remediation of vulnerabilities in web servers, mobile applications, thick clients, and other applications. To protect sensitive assets, a thorough testing process may include automated scans, penetration testing, and ethical hacking to locate security gaps or errors in business logic. Application security testing is required of many businesses for regulatory compliance, particularly in the case of protected health information (PHI) and payment card industry (PCI) data.

Customer trust, protection of intellectual property or financial assets, and continuity of operations also depend on ensuring the security of applications. See application penetration testing and ethical hacking tools for more information.

Application security testing services includes both manual and automated testing analysis methods to identify vulnerabilities. A third-party service provider typically brings their own processes, methodologies, tools, and reports to perform the testing, as well as expertise in penetration testing and a knowledge of the wider world of security threats.

Something of value to a person, business or organization.

The process to verify that someone is who they claim to be when they try to access a computer or online service.

To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss.

The authorised use of personally owned mobile devices such as smartphones or tablets in the workplace.

High-speed data transmission system where the communications circuit is shared between multiple users.

Preparing for and maintaining continued business operations following disruption or crisis.

Declaration that specified requirements have been met.

An independent organization that provides certification services.

A payment card transaction where the supplier initially receives payment but the transaction is later rejected by the cardholder or the card issuing company. The supplier’s account is then debited with the disputed amount.

Delivery of storage or computing services from remote servers online (ie via the internet).

A structure and series of requirements defined by the International Organization for Standardization, that are being incorporated in all management system International Standards as they are revised.

A computer or program that provides other computers with access to shared files over a network.

Confirmation issued by the supplier of a product that specified requirements have been met.

Segment of a network where servers accessed by less trusted users are isolated. The name is derived from the term “demilitarised zone”.

The transformation of data to hide its information content.

Communications architecture for wired local area networks based uponIEEE 802.3 standards.

Ethical hacking tools are designed to test for potential vulnerabilities via various threat vectors, including network hardware and configuration, software, and social vectors that targeting end users. Tools used by an ethical hacking service could include tools that scan for vulnerabilities, decode or steal passwords, attempt web application attacks, and other methods of probing the weaknesses of an organization’s environment and/or security staff. Expert use of ethical hacking tools reduces the risk of harming the environment during testing.

Hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

The comparison of actual performance against expected or required performance.

Someone who violates computer security for malicious reasons, kudos or personal gain.

The permanent storage medium within a computer used to store programs and data.

The process of recognising a particular user of a computer or online service.

Provision of computing infrastructure (such as server or storage capacity) as a remotely provided service accessed online (ie via the internet).

A declaration issued by an interested party that specified requirements have been met.

Chat conversations between two or more people via typing on computers or portable devices.

Internal penetration testing identifies possible vectors a malicious actor would use to exploit weaknesses inside an organization’s systems, persons, or processes. Internal penetration testing is essential to limiting risks from common exploits used to acquire legitimate credentials and to find new or previously unknown routes of compromise. Internal attacks can take months to identify and can expose the most sensitive or valuable assets in an organization. Understanding the specific risks associated with an internal attack is a fundamental element of a comprehensive security assessment.

Company that provides access to the internet and related services.

Program or device used to detect that an attacker is or has attempted unauthorised access to computer resources.

Intrusion detection system that also blocks unauthorised access when detected.

A virus or physical device that logs keystrokes to secretly capture private information such as passwords or credit card details.

Communications link between two locations used exclusively by one organization. In modern communications, dedicated bandwidth on a shared link reserved for that user.

Communications network linking multiple computers within a defined location such as an office building.

Malware (ie malicious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data.

Software intended to infiltrate and damage or disable computers. Shortened form of malicious software.

A set of processes used by an organisation to meet policies and objectives for that organisation.

Device that controls traffic to and from a network.

Network penetration testing is a type of penetration testing that focuses on systems and infrastructure to provide guidance on prioritization for hardening weaknesses and eliminating gaps in network security. Network penetration testing can include both external and internal penetration testing. Elements of network penetration testing include:

• Scanning for known vulnerabilities
• Finding vulnerabilities due to missing patches or weak configurations
• Probing network access points
• Identifying false positives and negatives through in-depth testing

A network security assessment may refer to network security testing. However, an assessment may also refer to less intensive automated scans of a network without a full penetration test.

Network security testing identifies the means by which a malicious attacker could access an organization’s network, with either external or internal access. Network security testing is necessary for compliance with many industry-specific regulations, and for protection of sensitive information like protected health information (PHI), payment card industry (PCI) data, and an organization’s intellectual property. A comprehensive network security test could include:

• Scanning for known vulnerabilities
• Breach simulators
• Internal and external penetration testing
• Specialized testing to identify vulnerabilities that exist on a specific network

Network security testing services are usually provided by an outside vendor that brings its own processes, methodologies, tools, and reports to perform the testing. A testing service with expertise in internal- and external-network penetration testing, and knowledge of the wider world of cybersecurity issues can provide comprehensive testing, informed analysis, and consumable reporting.

Network security testing tools are designed to scan and test infrastructure and internal systems to identify vulnerabilities and prevent unauthorized access. Network security tools are used to find:

• Susceptibilities introduced by patches or version updates
• Weak configurations
• Coding flaws

Overlapping scans and manual penetration testing are essential elements of comprehensive network security testing.

Obtaining services by using someone else’s resources.

Making false representation that goods or services are those of another business.

A secret series of characters used to authenticate a person’s identity.

A penetration testing company provides application and infrastructure security services like vulnerability identification, security validation, business impact assessment, and support for resource prioritization. In order to provide a comprehensive view of an organization’s security weaknesses and software vulnerabilities, a penetration testing company (or pentesting company) will use a spectrum of methodologies including:

• Automated scanning
• Specialized penetration testing tools
• In-depth manual attacks
• Social engineering efforts

Software running on a PC that controls network traffic to and from that computer.

Personal data relating to an identifiable living individual.

Method used by criminals to try to obtain financial or other confidential information (including user names and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organization (often a bank). The email usually contains a link to a fake website that looks authentic.

The provision of remote infrastructure allowing the development and deployment of new software applications over the internet.

A small, easily transportable computing device such as a smartphone, laptop or tablet computer.

Server that acts as an intermediary between users and others servers, validating user requests.

The recovery of data following computer failure or loss.

Something that could cause an organization not to meet one of its objectives.

The process of identifying, analysing and evaluating risk.

Device that directs messages within or between networks.

A virus or physical device that logs information sent to a visual display to capture private or personal information.

Something that modifies or reduces one or more security risks.

Process in which network information is aggregated, sorted and correlated to detect suspicious activities.

A security orchestration platform integrates the multiple security tools and resources an organization uses throughout the security management life-cycle. Integration of these tools allows a holistic approach to security management that promotes efficiencies while preventing gaps. A security orchestration platform eliminates the risks of a piece-meal approach to security while still providing flexibility in the choice of vendors, tools, and scanners to suit individual business needs.

Security orchestration tools allow an organization to coordinate and gain visibility into the tools, systems, and process that make up the security management life-cycle. Security orchestration tools replace emails, spreadsheets, and tickets that spread across multiple departments with a single and more secure, efficient, and accurate platform. Security orchestration tools also make the security management process highly scalable with consistent and repeatable workflows.

A well-defined boundary within which security controls are enforced.

Computer that provides data or services to other computers over a network.

A mobile phone built on a mobile computing platform that offers more advanced computing ability and connectivity than a standard mobile phone.

The delivery of software applications remotely by a provider over the internet; perhaps through a web interface.

Malware that passes information about a computer user’s activities to an external party.

Static application security testing (SAST) finds vulnerabilities and errors in the source code of applications in a non-running state, typically prior to deployment. Including SAST early in the software development life-cycle prevents costly last-minute fixes or damages to brand reputation when errors are not identified.

A set of organisations with linked resources and processes involved in the production of a product.

An ultra-portable, touch screen computer that shares much of the functionality and operating system of smartphones, but generally has greater computing power.

Something that could cause harm to a system or organization.

Threat and vulnerability management is the process through which an enterprise has a proactive, holistic approach to web security. Threat and vulnerability management includes the traditional tools and assessments associated with security testing, as well as prioritization of vulnerability remediation, more efficient security and testing workflows, threat intelligence and monitoring, and incident response.

A threat and vulnerability management program includes the tools, policies, processes, and resources involved in an organization’s threat response. As part of its resources, a vulnerability management program may include both internal stakeholders and third-party vendors as necessary to ensure appropriate expertise and necessary privacy protection are applied throughout the process.

A person who performs a cyber attack or causes an accident.

Obtaining evidence of identity by two independent means, such as knowing a password and successfully completing a smartcard transaction.

The record of a user kept by a computer to control their access to files and programs.

The short name, usually meaningful in some way, associated with a particular computer user.

Link(s) between computers or local area networks across different locations using a wide area network that cannot access or be accessed by other users of the wide area network.

Malware that is loaded onto a computer and then run without the user’s knowledge or knowledge of its full effects.

A flaw or weakness that can be used to attack a system or organization.

Vulnerability assessment tools are typically used at the beginning of the vulnerability management process to identify known vulnerabilities. Vulnerability assessment tools include application, network, social, and physical assessment tools.

Often an automated process, these tools search for specific vulnerabilities such as cross-site scripting (XSS), SQL injection, or insecure server configurations. Automated processes allow security professionals to focus on the manual testing work needed to provide more comprehensive security testing.

The vulnerability management process is the comprehensive, ongoing process of establishing a threat response methodology. The full process of vulnerability management constitutes a single cycle in a vulnerability management program, which includes:

• Planning
• Assessment
• Prioritizing
• Remediation

This cycle must be repeated over time to ensure that as threats evolve, the response evolves along with it.

Vulnerability management tools, including scanners, are used to identify and store vulnerability information. These tools are often specific to a scanner or vendor, and can create a challenge when integrating results into a broader analysis of security, or prioritizing the remediation of vulnerabilities.

Wireless local area network based uponIEEE 802.11standards.

Communications network linking computers or local area networks across different locations.

Malware that replicates itself so it can spread to infiltrate other computers