APPLICATION SECURITY

Apache Struts is an open-source framework for developing web applications in the Java programming language. It provides a framework for building scalable and flexible applications based on the Model-View-Controller (MVC) design pattern. Struts supports forms processing, user input validation, and integration with other Java technologies, such as JavaServer Pages (JSP) and JavaServer Faces (JSF). It is widely used in the Java development community for its robustness and wide functionality.

Application security is the practice of protecting computer applications from external security threats by using software, hardware, techniques, best practices and procedures. Application security encompasses the security considerations that take place during application development and design, as well as the systems and approaches to protect applications after they are deployed.

AppSec Awareness is a term used to increase awareness of security in applications. It includes understanding the risks associated with developing, deploying and using software applications, as well as taking steps to mitigate those risks.

"Codebashing" refers to a cybersecurity training platform that focuses on teaching developers secure coding practices. It offers interactive and hands-on training modules designed to help developers understand and mitigate security vulnerabilities and threats in their code.

The platform provides real-world scenarios, challenges, and simulations to help developers learn how to identify and address potential security issues, such as cross-site scripting (XSS), SQL injection, and more. Codebashing aims to integrate security awareness directly into the software development process, empowering developers to write more secure code from the outset.

Compliance is a term used to describe how well an organization complies with the laws and regulations that apply to it. Compliance means that an organization is aware of the risks it runs if it does not comply with the rules, and that it takes measures to limit or prevent those risks. Compliance helps an organization to protect its reputation, customer satisfaction and financial results.

"Container Security" refers to the practices and measures taken to secure containers and the applications running within them. Containers are lightweight, portable, and isolated environments that package an application along with its dependencies and runtime environment. Ensuring container security is essential to prevent unauthorized access, data breaches, and other security vulnerabilities.

Content Disarm and Reconstruction (CDR) is a technique used to improve document security by removing or neutralizing dangerous content. CDR solutions analyze documents for dangerous content, such as malware or malicious links, and remove this content or replace it with safe alternatives. This technique can be used to protect documents sent via email or shared via a cloud storage service. CDR solutions can help reduce the risks of opening dangerous documents and infecting a computer or network with malware

CSVSS is an abbreviation for Common Vulnerability Scoring System. It is a method of assessing the severity of security issues in software. The CSVSS v3.0 Calculator is a tool used to determine the CSVSS score of a security issue. The calculator uses a number of factors, such as the impact of the issue on system security and the difficulty of exploiting the issue, to determine the CSVSS score. The CSVSS score can be used to help prioritize security vulnerabilities and determine what actions to take to resolve them.

Dynamic Application Security Testing (DAST) is a method of testing the security of an application while it is running and in use.
DAST uses automated tools to actively identify an application's security weaknesses while it is running and accessible through a web browser. The purpose of DAST is to find vulnerabilities that can be used by malicious people to gain access to sensitive information or to misuse the application.
DAST involves testing various security aspects of the application such as input validation, authentication and authorization, session management, and security configuration. By performing these tests, an organization can improve the security of their application and thus reduce the likelihood of security incidents.

DEVOPS is a method in the software development and IT industry. It is a combination of development (Dev) and operations (Ops) that automates and integrates the processes between software developers and IT teams. The goal of DEVOPS is to increase the speed and quality of software delivery.

DEVOPS promotes collaboration, transparency, and continuous improvement among all roles involved in the software development lifecycle (SDLC).

DevSecOps is a development approach that integrates security ("Sec" for "Security") into the entire software development process ("Dev" for "Development") using operational ("Ops") principles.

Dynamic Behavioral Analysis is a method used to analyze the behavior of software programs and files to identify and block any threats. It is commonly used by security professionals to detect and prevent cyber-attacks.

A HAR (HTTP Archive) file is a file format used to analyze the performance of websites. The file contains a detailed log of all HTTP traffic requests sent and received while a web page is loading.

Helm is an open-source package manager for Kubernetes, a container orchestration platform. It simplifies the deployment and management of applications and services in Kubernetes clusters by providing a way to define, package, and distribute Kubernetes resources as "charts." Helm charts encapsulate all the necessary components, configurations, and dependencies needed to deploy an application in a consistent and repeatable manner.

IAST stands for Interactive Application Security Testing. It is a technique used to test and improve the security of web applications. The technique analyzes the runtime behavior of a web application to detect potential security vulnerabilities, such as SQL injections and cross-site scripting. IAST works by injecting an agent into the runtime environment of the web application, which makes it possible to monitor and analyze the behavior of the application while it is running. The results of the analysis are used to improve the security of the application and to comply with certain security standards.

An integrated development environment or IDE is computer software that supports a software developer in developing computer software. It consists of a number of components that together form a software suite.

Indirect code execution refers to executing code from an external source, such as an input file, database, or external API, rather than writing the code directly into the program.

It is important to understand the risks of indirect code execution because malicious external sources can inject code and perform malicious activities on the system where the code is executed. It is therefore important to validate and remediate the input before output to ensure the safety of the system.

Infrastructure as Code (IaC) is a concept within software development and system administration where infrastructure configuration and provisioning are treated as programmable code. With IaC, system administrators and developers can define, deploy, and manage infrastructure resources, such as virtual machines, networks, storage, and more, using code.

Jira is a popular issue and project tracking software developed by Atlassian. It is widely used by software development and project management teams to plan, track, and manage work in an organized and efficient manner.

A Managed Security Service Provider (MSSP) is an external service provider that offers specialized security services to organizations. MSSPs provide comprehensive security solutions and services to help businesses monitor, detect, prevent, and respond to cyber threats and security incidents. This enables organizations to reduce the complexity of security management and access expertise and resources they may not have in-house.

Microsoft DREAD is a framework for assessing the risks of software vulnerabilities.

The National Institute of Standards and Technology (NIST) is a scientific institution under the United States federal government. NIST is committed to standardization in science, such as defining units.

NIST was founded in 1901 under the name National Bureau of Standards (NBS). In 1988, the institution received its current name

OpenAPI 3.0, also known as OpenAPI Specification (OAS) 3.0 or Swagger 3.0, is a standardized specification for defining and documenting RESTful APIs. It provides a way to describe the structure, behavior, and interactions of APIs, making it easier for developers to understand and use them.

OWASP (Open Web Application Security Project) is an international non-profit organization dedicated to improving the security of software applications. OWASP aims to help organizations identify and mitigate security risks in their software applications.

A penetration test is a test performed to evaluate the security of a system. It is also referred to as a "pen test" and its purpose is to identify vulnerabilities that can be exploited by attackers. During the test, an attempt is made to break into the system in order to discover the weaknesses and report them to the owner of the system. A penetration test can be performed by a specialist company or by an internal security team.

PII stands for "Personally Identifiable Information" and can be translated as "Personally Identifiable Data".

SAML (Security Assertion Markup Language) and SSO (Single Sign-On)

SAML/SSO is widely used by companies and organizations that want to offer their employees a secure and efficient way to log in to various systems and applications. By using SSO, employees do not have to log in every time and they can quickly and easily access the systems they need.

A sandbox is a closed and secure environment in which software can be tested without harming the system it is running on

SAST stands for Static Application Security Testing. It is a type of security test that analyzes the source code of an application to identify potential security vulnerabilities. SAST tools can analyze code for common security flaws such as buffer overflows, SQL injection, and cross-site scripting. The main advantage of SAST is that it can identify security vulnerabilities early in the development process, allowing developers to fix them before deploying the application. However, SAST has some limitations, such as the inability to identify certain types of security vulnerabilities, such as those that require runtime data.

SBOM - Software Bill of Materials is a structured list of components used in building a piece of software. Just as a manufacturing bill of material lists all the parts and materials needed to make a product, an SBOM provides a comprehensive overview of all software components that make up a software application.

"SCM" stands for "Source Code Management." It refers to the practices and tools used to manage and control changes to source code during software development. SCM encompasses a set of processes and methodologies that help developers track, version, collaborate on, and maintain their codebase.

SCM includes features like version control, branching, merging, change tracking, and collaboration. It ensures that multiple developers can work on the same codebase simultaneously, manage different versions of the code, and coordinate their contributions effectively.

Popular SCM tools include Git, Subversion (SVN), Mercurial, and Perforce. These tools provide the infrastructure for versioning code, managing branches, and facilitating collaboration among development teams.

SDLC stands for Software Development Life Cycle and is a process used in software development to ensure that the final product is of high quality and meets user needs. The SDLC process usually includes the following phases: planning, design, development, testing, implementation, and maintenance.

"Security-by-design" is a principle and approach in which security considerations are integrated into every stage of the design and development process of software, systems, applications, or products. The goal of security-by-design is to ensure that security measures and safeguards are built into the foundation of a solution rather than added as an afterthought.

An SQL injection is a vulnerability in a website or application that allows malicious users to enter and execute malicious SQL code through input fields or URL parameters. This allows them to access sensitive information or even manipulate the entire database of the website or application.

Third party risks refer to the risks that arise when an organization engages a third party to perform certain tasks or provide services. These risks can relate to various areas, including legal issues, financial risks, reputational risks and operational risks.

TPRM stands for Third Party Risk Management. This is a process by which organizations identify, assess and manage the risks associated with outsourcing activities or services to external parties.

TPRM helps organizations ensure the quality, compliance and performance of their suppliers and avoid potential reputational damage, financial loss or legal disputes.

Vulnerability management is the process of identifying, analyzing and remediating vulnerabilities in systems, networks and applications. The goal of vulnerability management is to improve the security and resilience of the organization by reducing the risk of cyber-attacks. Vulnerability management includes regularly scanning the IT environment, prioritizing the vulnerabilities found based on their severity and impact, and implementing appropriate measures to fix or mitigate them.