Manufacturing to meet an immediate requirement, not in surplus or in advance of need.
Controlling who has access to a computer or online service and the information it stores.
Application penetration testing is a type of penetration testing that focuses on identifying vulnerabilities that may be introduced during the development or deployment of an application. The application tested could be a web, mobile, or thick app based.
Modes of testing could include:
- Static analysis of code
- Dynamic analysis of the application while running
- Interactive analysis of both
The scope of application testing should be based on multiple considerations to ensure all potential threat vectors are analyzed. Identified vulnerabilities are then verified and remediation efforts are prioritized according to risk in order to reduce the likelihood that the application will be compromised.
Application security testing guides the remediation of vulnerabilities in web servers, mobile applications, thick applications, and other applications. To protect sensitive assets, a thorough testing process may include automated scans, penetration testing, and ethical hacking to locate security gaps or errors in business logic. Application security testing is required of many businesses for regulatory compliance, particularly in the case of protected health information (PHI) and payment card industry (PCI) data.
Customer trust, protection of intellectual property or financial assets, and continuity of operations also depend on ensuring the security of applications. See application penetration testing and ethical hacking tools for more information.
Application Security Testing ServicesApplication security testing services includes both manual and automated testing analysis methods to identify vulnerabilities. A third-party service provider typically brings their own processes, methodologies, tools, and reports to perform the testing, as well as expertise in penetration testing and a knowledge of the wider world of security threats.
AssetSomething of value to a person, business or organization.
AuthenticationThe process to verify that someone is who they claim to be when they try to access a computer or online service.
To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss.
Bring your own device (BYOD)The authorised use of personally owned mobile devices such as smartphones or tablets in the workplace.
BroadbandHigh-speed data transmission system where the communications circuit is shared between multiple users.
Business continuity managementPreparing for and maintaining continued business operations following disruption or crisis.
Declaration that specified requirements have been met.
Certification bodyAn independent organization that provides certification services.
ChargebackA payment card transaction where the supplier initially receives payment but the transaction is later rejected by the cardholder or the card issuing company. The supplier’s account is then debited with the disputed amount.
Cloud computingDelivery of storage or computing services from remote servers online (ie via the internet).
Common textA structure and series of requirements defined by the International Organization for Standardization, that are being incorporated in all management system International Standards as they are revised.
A computer or program that provides other computers with access to shared files over a network.
Declaration of conformityConfirmation issued by the supplier of a product that specified requirements have been met.
DMZSegment of a network where servers accessed by less trusted users are isolated. The name is derived from the term “demilitarised zone”.
The transformation of data to hide its information content.
EthernetCommunications architecture for wired local area networks based uponIEEE 802.3 standards.
Ethical Hacking ToolsEthical hacking tools are designed to test for potential vulnerabilities via various threat vectors, including network hardware and configuration, software, and social vectors that targeting end users. Tools used by an ethical hacking service could include tools that scan for vulnerabilities, decode or steal passwords, attempt web application attacks, and other methods of probing the weaknesses of an organization’s environment and/or security staff. Expert use of ethical hacking tools reduces the risk of harming the environment during testing.
Hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.
The comparison of actual performance against expected or required performance.
Someone who violates computer security for malicious reasons, kudos or personal gain.
Hard diskThe permanent storage medium within a computer used to store programs and data.
The process of recognising a particular user of a computer or online service.
Infrastructure-as-a-service (IaaS)Provision of computing infrastructure (such as server or storage capacity) as a remotely provided service accessed online (ie via the internet).
Inspection certificateA declaration issued by an interested party that specified requirements have been met.
Instant messagingChat conversations between two or more people via typing on computers or portable devices.
Internal penetration testing identifies possible vectors a malicious actor would use to exploit weaknesses inside an organization’s systems, persons, or processes. Internal penetration testing is essential to limiting risks from common exploits used to acquire legitimate credentials and to find new or previously unknown routes of compromise. Internal attacks can take months to identify and can expose the most sensitive or valuable assets in an organization. Understanding the specific risks associated with an internal attack is a fundamental element of a comprehensive security assessment.
Internet service provider (ISP)Company that provides access to the internet and related services.
Intrusion detection system (IDS)Program or device used to detect that an attacker is or has attempted unauthorised access to computer resources.
Intrusion prevention system (IPS)Intrusion detection system that also blocks unauthorised access when detected.
A virus or physical device that logs keystrokes to secretly capture private information such as passwords or credit card details.
Communications link between two locations used exclusively by one organization. In modern communications, dedicated bandwidth on a shared link reserved for that user.
Local area network (LAN)Communications network linking multiple computers within a defined location such as an office building.
Malware (ie malicious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data.
MalwareSoftware intended to infiltrate and damage or disable computers. Shortened form of malicious software.
Management systemA set of processes used by an organisation to meet policies and objectives for that organisation.
Device that controls traffic to and from a network.
Network penetration testing is a type of penetration testing that focuses on systems and infrastructure to provide guidance on prioritization for hardening weaknesses and eliminating gaps in network security. Network penetration testing can include both external and internal penetration testing. Elements of network penetration testing include:
- Scanning for known vulnerabilities
- Finding vulnerabilities due to missing patches or weak configurations
- Probing network access points
- Identifying false positives and negatives through in-depth testing
Related terms:
Network Security AssessmentA network security assessment may refer to network security testing. However, an assessment may also refer to less intensive automated scans of a network without a full penetration test.
Network Security TestingNetwork security testing identifies the means by which a malicious attacker could access an organization’s network, with either external or internal access. Network security testing is necessary for compliance with many industry-specific regulations, and for protection of sensitive information like protected health information (PHI), payment card industry (PCI) data, and an organization’s intellectual property. A comprehensive network security test could include:
- Scanning for known vulnerabilities
- Breach simulators
- Internal and external penetration testing
- Specialized testing to identify vulnerabilities that exist on a specific network
Network security testing services are usually provided by an outside vendor that brings its own processes, methodologies, tools, and reports to perform the testing. A testing service with expertise in internal- and external-network penetration testing, and knowledge of the wider world of cybersecurity issues can provide comprehensive testing, informed analysis, and consumable reporting.
Network Security Testing ToolsNetwork security testing tools are designed to scan and test infrastructure and internal systems to identify vulnerabilities and prevent unauthorized access. Network security tools are used to find:
- Susceptibilities introduced by patches or version updates
- Weak configurations
- Coding flaws
Overlapping scans and manual penetration testing are essential elements of comprehensive network security testing.
Obtaining services by using someone else’s resources.
Making false representation that goods or services are those of another business.
PasswordA secret series of characters used to authenticate a person’s identity.
Penetration Testing CompanyA penetration testing company provides application and infrastructure security services like vulnerability identification, security validation, business impact assessment, and support for resource prioritization. In order to provide a comprehensive view of an organization’s security weaknesses and software vulnerabilities, a penetration testing company (or pentesting company) will use a spectrum of methodologies including:
- Automated scanning
- Specialized penetration testing tools
- In-depth manual attacks
- Social engineering efforts
Software running on a PC that controls network traffic to and from that computer.
Personal informationPersonal data relating to an identifiable living individual.
PhishingMethod used by criminals to try to obtain financial or other confidential information (including user names and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organization (often a bank). The email usually contains a link to a fake website that looks authentic.
Platform-as-a-service (PaaS)The provision of remote infrastructure allowing the development and deployment of new software applications over the internet.
Portable deviceA small, easily transportable computing device such as a smartphone, laptop or tablet computer.
Proxy serverServer that acts as an intermediary between users and others servers, validating user requests.
The recovery of data following computer failure or loss.
RiskSomething that could cause an organization not to meet one of its objectives.
Risk assessmentThe process of identifying, analysing and evaluating risk.
RouterDevice that directs messages within or between networks.
A virus or physical device that logs information sent to a visual display to capture private or personal information.
Security controlSomething that modifies or reduces one or more security risks.
Security information and event management (SIEM)Process in which network information is aggregated, sorted and correlated to detect suspicious activities.
A security orchestration platform integrates the multiple security tools and resources an organization uses throughout the security management life-cycle. Integration of these tools allows a holistic approach to security management that promotes efficiencies while preventing gaps. A security orchestration platform eliminates the risks of a piece-meal approach to security while still providing flexibility in the choice of vendors, tools, and scanners to suit individual business needs.
Security Orchestration ToolsSecurity orchestration tools allow an organization to coordinate and gain visibility into the tools, systems, and process that make up the security management life-cycle. Security orchestration tools replace emails, spreadsheets, and tickets that spread across multiple departments with a single and more secure, efficient, and accurate platform. Security orchestration tools also make the security management process highly scalable with consistent and repeatable workflows.
Security perimeterA well-defined boundary within which security controls are enforced.
ServerComputer that provides data or services to other computers over a network.
SmartphoneA mobile phone built on a mobile computing platform that offers more advanced computing ability and connectivity than a standard mobile phone.
Software-as-a-service (SaaS)The delivery of software applications remotely by a provider over the internet; perhaps through a web interface.
SpywareMalware that passes information about a computer user’s activities to an external party.
Static Application Security TestingStatic application security testing (SAST) finds vulnerabilities and errors in the source code of applications in a non-running state, typically prior to deployment. Including SAST early in the software development life-cycle prevents costly last-minute fixes or damages to brand reputation when errors are not identified.
Supply chainA set of organisations with linked resources and processes involved in the production of a product.
An ultra-portable, touch screen computer that shares much of the functionality and operating system of smartphones, but generally has greater computing power.
ThreatSomething that could cause harm to a system or organization.
Threat and vulnerability management is the process through which an enterprise has a proactive, holistic approach to web security. Threat and vulnerability management includes the traditional tools and assessments associated with security testing, as well as prioritization of vulnerability remediation, more efficient security and testing workflows, threat intelligence and monitoring, and incident response.
A threat and vulnerability management program includes the tools, policies, processes, and resources involved in an organization’s threat response. As part of its resources, a vulnerability management program may include both internal stakeholders and third-party vendors as necessary to ensure appropriate expertise and necessary privacy protection are applied throughout the process.
Threat actorA person who performs a cyber attack or causes an accident.
Two-factor authenticationObtaining evidence of identity by two independent means, such as knowing a password and successfully completing a smartcard transaction.
The record of a user kept by a computer to control their access to files and programs.
UsernameThe short name, usually meaningful in some way, associated with a particular computer user.
Link(s) between computers or local area networks across different locations using a wide area network that cannot access or be accessed by other users of the wide area network.
VirusMalware that is loaded onto a computer and then run without the user’s knowledge or knowledge of its full effects.
VulnerabilityA flaw or weakness that can be used to attack a system or organization.
Vulnerability assessment tools are typically used at the beginning of the vulnerability management process to identify known vulnerabilities. Vulnerability assessment tools include application, network, social, and physical assessment tools.
Often an automated process, these tools search for specific vulnerabilities such as cross-site scripting (XSS), SQL injection, or insecure server configurations. Automated processes allow security professionals to focus on the manual testing work needed to provide more comprehensive security testing.
Vulnerability Management ProcessThe vulnerability management process is the comprehensive, ongoing process of establishing a threat response methodology. The full process of vulnerability management constitutes a single cycle in a vulnerability management program, which includes:
- Planning
- Assessment
- Prioritizing
- Remediation
This cycle must be repeated over time to ensure that as threats evolve, the response evolves along with it.
Vulnerability Management ToolsVulnerability management tools, including scanners, are used to identify and store vulnerability information. These tools are often specific to a scanner or vendor, and can create a challenge when integrating results into a broader analysis of security, or prioritizing the remediation of vulnerabilities.
Wireless local area network based uponIEEE 802.11standards.
Wide area network (WAN)Communications network linking computers or local area networks across different locations.
WormMalware that replicates itself so it can spread to infiltrate other computers