Glossary A Flashcards
Expanding on functional testing to include operations outside of the intended use of an application in order to test for security flaws or application stability problems
Abuse case testing
Modern approach to development that uses an iterative process of “sprints” to segment coding and features into manageable chunks
Agile
Value derived by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). ALE = SLE x ARO
ALE (annualized loss expectancy)
A tool that sits between client systems and the back-end services they call via API requests in order to serve as a reverse proxy for security and performance capabilities
API Gateway
A set of functions, routines, tools or protocols for building applications. Allows for interaction between systems and applications that can be leveraged by developers as building blocks for their applications and data access through a common method, without custom coding for each integration
Application Programming Interface (API)
Estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year
ARO (Annualized rate of occurrence)
A threat-modeling approach composed of Architecture, Threats, Attack Surfaces, and Mitigations
ATASM
The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance
Auditability
The process of evaluating credentials presented by a user, application, or service to prove its identity as compared to values already known and verified by the authentication system
Authentication
The process of granting or denying access to a system, network, or application after successful authentication has been performed, based on approved criteria set by policy or regulation
Authorization
Means or method of accessing a system or application while bypassing the typical and required authentication and authorization methods. Can be unauthenticated methods discovered by malicious actors to get into a system, or they can be methods purposefully employed by developers or support staff to access systems for maintenance or other support activities. Created by developers or hackers.
Backdoor
Part of the change management process, which establishes an agreed-upon standard configuration and the attributes that comprise it and forms the basis for managing change from that point forward
Baseline
Heavily fortified system that serves as a jump box or proxy between an untrusted network and trusted networks
bastion host
Refers to collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them. Often applied in regard to predictive analysis and user analytics of data sets rather than referring to a specific size of the data involved.
Big Data
The practice of allowing employees of an organization to use their own computers, phones, tablets or other electronic resources to access official computing resources, rather than using devices provided and supported by the organization.
Bring your own device (BYOD)
The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or a disruption of service
Business Continuity
A process designed to identify risks, threats, and vulnerabilities that could disrupt or impact services, with the intent of determining mitigation strategies and response processes should they occur
Business continuity management
A developed and tested document, containing information from stakeholders and staff, for the continuation of operations and services in the event of a disruption or incident
Business continuity plan
A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption
Business Impact Analysis (BIA)
Formal documentation showing the chronological control and disposition of data or evidence, either physical or electronic. Includes creation, all changes of possession, and final disposition. It is absolutely essential to maintain the integrity of evidence and its admissibility in legal proceedings.
Chain of custody
Group that assists the change team and change management process by evaluating, prioritizing, and approving change requests
Change Advisory Board (CAB)
Individual with a role in the change management process who ensures the overall change process is properly executed. This person also directly handles low-level tasks related to the change process.
Change Manager
A software tool or service that sits between cloud resources and the clients or systems accessing them. It serves as a gateway that can perform a variety of security and policy enforcement functions. Can consolidate and perform the functions of firewalls and web application firewalls as well as provide authentication and data loss prevention capabilities.
Cloud Access Security Broker (CASB)
Application that is never installed on a local server or desktop but is instead accessed via network or the Internet. Merges the functionality of a local application with the accessibility of a web-based application
Cloud Application
Within a PaaS implementation, this serves as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise the platform, and the language describing the overall platform, its components and services, and the metadata about it
Cloud Application Management for Platforms (CAMP)
An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications. Responsible for assessing the effectiveness of the cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used
Cloud Auditor
The process of using a cloud-based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center
Cloud Backup
A public or private cloud services organization that offers backup services to either the public or organizational clients, either on a free basis or using various costing models based on either the amount of data or number of systems
Cloud backup service provider
services that run within a public or private cloud offering backup solutions, either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user or system
cloud backup solutions
a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud model is composed of five essential characteristics, three service models, and four deployment models
Cloud Computing
An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider
Cloud Computing reseller
A formally published guide by the Cloud Security Alliance that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. Allows a cloud provider to structure its security approach.
Cloud Controls Matrix (CCM)
An organization or individual that utilizes and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and fee-based applications or solutions.
Cloud Customer
The ability to move data between cloud providers
Cloud data portability
A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application. Elasticity, scalability, and high availability can be achieved and maximized.
Cloud database
How cloud computing is delivered through a set of particular configurations and features of virtual resources. The cloud deployment models are public, private, hybrid, and community.
Cloud Deployment Model
The creation of a public cloud environment through the offering of services or infrastructure
Cloud enablement
The oversight and operations management of a cloud environment by the cloud service provider, whether it is a public or private cloud environment
Cloud Management
The process of moving services, systems, applications, or data from a traditional data center hosting model into a cloud environment
Cloud migration
Used to denote an operating system in a Platform as a Service (PaaS) implementation and signify the implementation within a cloud environment
Cloud Operating System
A service provider that makes storage or software applications available via the Internet or private networks to customers. Since applications are offered as a service, the platform and underlying software, as well as operations and security systems, are maintained by the provider and abstracted from the customers
Cloud Provider
The process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customers as far as the number of virtual machines and their specific computing resources
Cloud Provisioning
The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment
Cloud Security Alliance (CSA)
The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that’s done in a traditional data center
Cloud Server Hosting
Capabilities offered via a cloud provider and accessible via a client
Cloud service
A partner that servers as an intermediary between a cloud service customer and cloud service provider
Cloud Service Broker
A group of cloud services with a common set of features of qualities
Cloud Service Category
One that holds a relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery
Cloud Service Partner
One that interacts with and consumes services offered by a cloud service provider
Cloud Service user
The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users
Cloud testing
Set of international guidelines and specifications for evaluation of IT security resources to ensure they meet an agreed-upon set of security standards, focused on government computing and security needs and requirements.The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408
Common Criteria
Cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. Owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of these, and it may exist on or off premises.
Community Cloud
Allows for the execution of compute-intensive workloads to be performed in the cloud. Code can be executed in a serverless environment where the customer only pays for the computing time and cycles they consume, without the need for setting up server instances or environments
Compute as a Service (CaaS)
A paradigm that isolates the processing of data within protected CPU segments that are completely isolated from other users and systems
Confidential Computing
Establishing a controlled means of consistency throughout a systems lifecycle, based on its requirements and technical specifications, to properly ensure configuration controls, performance standards, and design requirements
Configuration management
A software package that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit
Container
The process of taking logs from many different systems and putting them together based on a commonality in order to fully track a session or transaction
Correlation
Very common type of security vulnerability found with web applications, where an attacker can inject client-side scripts into web pages that are then viewed and executed by other users. The goal of this attack from an attacker’s perspective is to bypass the security controls of an application, such as an access control with a same-origin policy
Cross-site scripting (XSS)
Data that resides on a system in persistent storage, such as disks, tapes, databases, or any other type of storage device
data at rest (DAR)
Feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed. The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer
data dispersion
serverless, managed data processing service offered by a cloud provider for the execution of data pipelines
data flow
data that flows over a networked connection, either through public unsecured networks or internal protected corporate networks
data in transit (DIT)
data within a system or application that is currently being processed or is in use, either through the computing resources or residing in memory
data in use (DIU)
An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of networks or systems that are secured and protected. This can be related to the intentional attempt by users to transfer such information, but it also applies to preventing the accidental sending or leakage of data.
Data loss prevention (DLP)
the ability to easily move data from one system to another without having to re-enter it
data portability
a suite of tools used to monitor database operations and functions in real time in order to detect security concerns or anomalies
database activity monitoring (DAM)
A subscription service where the database is installed, configured, secured, and maintained by the cloud provider, with the cloud customer only responsible for loading their schema and data
Database as a Service (DBaaS)
An attempt to make computing resources or a network unavailable to its intended users by denying legitimate traffic access totally or by degrading performance to unacceptable levels
denial-of-service (DoS) attack
A cloud-based equivalent of a traditional virtual desktop interface (VDI) that is hosted and managed by a cloud provider rather than on hardware owned by the customer
Desktop as a Service (DaaS)
Combines software development with IT operations, with a goal of shortening the software development time and providing optimal uptime and quality of service
DevOps
Process of integrating security at all levels and stages of development and operations to fully ensure best practices and a focus on security
DevSecOps
Information that specifically applies to a unique individual, such as name, address, phone number, e-mail address, or unique identifying numbers or codes.
Direct identifier
A utility from VMWare that balances computing demands and available resources within the virtualized environment
Distributed Resource Scheduler (DRS)
The testing of an application, while is, is in an operational state with currently running systems, applications, and networks
Dynamic Application Security Testing (DAST)
The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization
Dynamic optimization (DO)
A computing paradigm that is based on putting the processing of data and computing resources as close to the source of that data as possible
Edge computing
The process for a criminal or civil legal case where electronic data is determined, located, and secured to be used as evidence
eDiscovery
The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials, or keys can access it
encryption
An application that runs on a large and distributed scale and is deemed mission critical to a company or organization
enterprise application
A cloud-based backup and recovery service that is related to and similar to those offered for personal use, but scaled and focused on large-scale and organizational-level service
enterprise cloud backup
Temporary, unstructured storage that is only used for a node or service while it is active and in use and then is destroyed upon being shut down or deleted
ephemeral storage
Free and open source software for utilizing Amazon Web Services (AWS) to build public and private cloud offerings. The use of this word is intended as an acronym for Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems
Eucalyptus
An action or situation that is recognized by software that then causes some action or response by the software to be taken
event
The set of rules and procedures that govern civil legal proceedings in the United States federal courts to provide uniformity and efficiency in resolving legal matters and proceedings
Federal Rules of Civil Procedure (FRCP)
The set of rules that apply to United States federal courts for collecting evidence in a uniform and official manner
Federal Rules of Evidence (FRE)
A group of IT service providers that interoperate based on an agreed-upon set of standards and operations
federation
A security standard published by the United States federal government that pertains to the accreditation of cryptographic modules
FIPS 140-2
A part of a computing network, provided by either hardware or software implementations, that controls which network connections are allowed to be made in regard to origin, destination, and ports, while blocking all other inbound or outbound connections
firewall
the use of a location technology such as Wi-Fi, cellular networks, RFID tags, IP address locations, or GPS to control access or behavior of devices
geofencing
A physical device, typically a plug-in card or an external device, that attaches to a physical computer. It is used to perform encryption and decryption of digital signatures, authentication operations, and other services where cryptography is necessary
hardware security module (HSM)
taking data of an arbitrary type, length, or size and using a mathematical function to map the data to a value that is of fixed size. Can be applied to virtually any type of data objet – text strings, documents, images, binary data, and virtual machine images
hashing
This act provided incentives for healthcare providers to expand their use of technology, including the widespread adoption of electronic health record (EHR) systems
Health Information Technology for Economic and Clinical Health (HITECH) Act
This act requires the US Department of Health and Human Services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers, and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than the specific technologies used, so long as they meet the requirements of the regulation
Health Insurance Portability and Accountability Act (HIPAA)
A computer that is connected to a network and provides computing services to either users or other hosts on the network
host
A host-based intrusion detection system monitors the internal resources of a system for malicious attempts. It can also be used for packet inspection and network monitoring.
Host-based intrusion detection system (HIDS)
A cloud infrastructure composed of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (for example, cloud bursting for load balancing between clouds)
hybrid cloud
A virtual machine manager that allows and enables multiple virtual hosts to reside on the same physical host
hypervisor
A subscription-based service for Identity & Access Management (IAM) and single sign-on (SSO) that is offered over the internet versus deployed by the customer
Identity as a Service (IDaas)
A system responsible for determining the authenticity of a user or system, thus providing assurance to a service that the identity is valid and known and possibly providing additional information about the identity of the user or system to the service provider requesting it
identity provider (IdP)
An event that could potentially cause a disruption to an organization’s systems, services, or applications
incident
Pieces of information about an entity that cannot be used individually to identify that entity uniquely but can be used in combination to potentially do so. Examples include place of birth, race, employment history, and educational history
indirect identifiers
A subset of digital rights management that is focused on protecting sensitive information from unauthorized exposure or use
information rights management (IRM)
The capability provided to a consumer to provision processing, storage, networks, and other fundamental computing resources in order to deploy and run arbitrary software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications – and possibly limited control of select networking components such as host firewalls
Infrastructure as a Service (IaaS)
A way of managing and provisioning infrastructure components through definition files, versus the traditional way of using configuration tools. Typically, administrators maintain definition files that contain all the options and settings needed to deploy virtual machines or other pieces of a virtual infrastructure.
Infrastructure as Code (IaC)
A method for monitoring an application while it is running and has processes interacting with it, continually scanning for any security vulnerabilities
Interactive Application Security Testing (IAST)
Refers to the extension of Internet connectivity to devices beyond traditional computing platforms. This can include home appliances, thermostats, sensors, lighting fixtures, and is very common within the scope of “smart home” technologies
Internet of Things (IoT)
The ease and ability to reuse components of a system or application regardless of the underlying system design and provider
Interoperability
A device, appliance, or software implementation that monitors servers, systems, or networks for malicious activities
intrusion detection system (IDS)
A network-baed appliance or software that examines network traffic for known exploits, or any attempts to use exploits, and actively stops them or blocks attempts
intrusion prevention system (IPS)
A formal specification for information security management systems that provides, through completion of a formal audit, certification from an accredited body for compliance.
ISO/IEC 27001 and 27001:2018
A collection of papers and concepts that lays out a vision for IT Service Management (ITSM) framework and IT services and user support
IT Infrastructure Library
the authority to exert regulatory and legal control over a defined area of responsibility. Can overlap between the local, state/province, and national levels
jurisdiction
A system or service that manages keys used for encryption within a system or application that is separate from the actual host system. Will generate, secure, and validate keys.
Key Management Service (KMS)
A metric that provides a quantitative value that can be used to evaluate how effectively key business requirements are being met
key performance indicator (KPI)
the process of collecting and preserving data as required by an official request from a legal authority
legal hold
a broad term that encompasses software, scripts, content, and executable code that takes the form of viruses, Trojan horses, ransomware, spyware, and other malicious programs that intend to steal information or computing resources
malware
A provider of IT services where the technology software, and operations are determined and managed away from the customer or user
managed service provider
the process of aligning data values and fields with specific definitions or requirements
mapping
A measure, typically in hours, of what the average time between failures is for a hardware component in order to determine its reliability
mean time between failures (MTBF)
A measure for hardware components of the typical or average time to repair and recover after a failure
mean time to repair (MTTR)
A cloud service that’s delivered and billed in a metered way
measured service
Data that gives additional or descriptive information about other data. This can be in the form of structural data that pertains to how the information is stored and represented or it can be descriptive data that contains information about the actual content of the data.
metadata
Cloud-based storage, typically used for mobile devices such as tablets, phones, and laptops, that enables the user to access their data from any network location and across multiple devices in a uniform way
mobile cloud storage
An encompassing term for a suite of policies, technologies, and infrastructure that enables an organization to manage and secure mobile devices that are granted access to its data across a homogenous environment. Accomplished by installing software on a mobile device that allows the IT department to enforce security configurations and policies, regardless of whether it is owned by the organization or is a private device owned by the user.
mobile device management
Having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other, while still sharing the same resources
multitenancy
A cloud-based virtual network where customers can quickly and easily change network configurations via software, versus the traditional need for cabling and hardware appliances
Network as a Service (NaaS)
A device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and then compare it against signatures for known vulnerabilities and attacks
Network-based intrusion detection systems (NIDS)
Contains a set of rules that can be applied to network resources for the processing and handling of network traffic. The group contains information used to filter traffic based on the direction of traffic flow, source address, destination address, ports of both the source and destination, and the protocols being used for transmission
network security group
provides a set of security controls for all systems under the United States federal government, with the exception of systems dedicated to national security
NIST SP 800-53
the ability to confirm the origin or authenticity of data to a high degree of certainty
nonrepudiation
A set of standards for protecting the national power grid and systems, specifically from a cybersecurity perspective
NERC/CIP - North American Electric Reliability Corporation/Critical Infrastructure Protection
A storage method used with IaaS where data elements are managed as objects rather than hierarchically with a file system and directory structure
object storage
the ability for a cloud customer to provision services in an automatic manner, when needed, with minimal involvement from the cloud provider
on-demand self-service
An official ITIL term that relates to a specialized service level agreement (SLA) pertaining to internal parties of an organization, rather than between a customer and provider
operational level agreement (OLA)
the automation of tasks within a public or private cloud that manages administration, workloads, and operations within the environment
orchestration
the hiring of external entities to perform work that a company or organization would typically do through its own employees
outsourcing
the process of securely removing data from a system by writing blocks of random or opaque data on storage media to destroy any previous data and make it unrecoverable
overwriting
Seven-step methodology that is platform agnostic and combines business objectives, technical requirements, and compliance for threat management
P.A.S.T.A - Process for Attack Simulation and Threat Analysis
An industry regulation that applies to organizations that handle credit card transactions. Rather than being a legal regulation passed by government authorities, it is enforced and administered by the credit card industry itself. The regulations are designed to enforce security best practices to reduce credit card fraud.
Payment Card Industry Data Security Standard (PCI DSS)
the process of testing systems and applications for vulnerabilities and weaknesses by employing the same tools and strategies used by malicious actors. Any exploits discovered can then be proactively addressed by the organization before a malicious actor can discover them.
Pen (Penetration) testing
The capability provided to the customer to deploy onto the cloud infrastructure any consumer-created or acquired applications written using programming languages, libraries, services, and tools supported by the provider. The customer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, and storage, but does have control over the deployed applications and possibly configuration settings for the application-hosting environment.
Platform as a Service (PaaS)
the ability of a system or application to seamlessly and easily move between different cloud providers
portability
A specific type of analysis conducted by n organization that stores or processes sensitive and private data. The organization will evaluate its internal processes for development and operations with an eye toward the protection of personal data throughout the entire lifetime of its possession and use
Privacy impact assessment (PIA)
A declaration published by the cloud service provider documenting its approach to data privacy. The cloud service provider implements and maintains the PLA for the systems it hosts.
Privacy level agreement (PLA)
A cloud infrastructure provisioned for exclusive use by a single organization composed of multiple consumers (for example, business units). it may be owned, managed, and operated by the organization, a third party, or some combination, and it may exist on or off premises.
private cloud
A special designation of data under United States law that encompasses any health-related data that can be tied to an individual, including health status, healthcare services sought or provided, or any payment related to healthcare
protected health information (PHI)
A cloud infrastructure provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic organization, or governmental organization, or some combination. It exists on the premises of the cloud provider.
public cloud
Involves the use of quantum phenomena, such as the interaction between atoms or wave movements, to aid in computation.
Quantum computing
A point of time in the past that an organization is willing to revert in order to restore lost data or services following an interruption
Recovery point objective (RPO)
A defined maximum time duration for which an organization can accept the loss of data or services following an interruption
Recovery time objective (RTO)
A system or application that provides access to secure data through the use of an identity provider
relying party
A proprietary technology, developed by Microsoft, to allow users to connect to a remote computer over a network and utilize a graphical interface with the Windows operating system
Remote Desktop Protocol (RDP)
A system for designing and implementing networked applications by utilizing a stateless, cacheable, client/server protocol, almost always via HTTP.
Representational State Transfer (REST)
A key component of the change management process that involves a formal documented change request, including what change is needed, why it is needed, the urgency of the change, and the impact if the change is not made
Request for Change (RFC)
the aggregation and allocation of resources from the cloud provider to serve the cloud customers
resource pooling
the ability of a cloud customer to recover all data and applications from a cloud provider and completely remove all data from the cloud providers environment
reversibility
Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real time
runtime application self-protection (RASP)
the segregation and isolation of information or processes from others within the same system or application, typically for security concerns
sandboxing
Enables companies to contract with an external vendor to supply and manage their security operations for such technologies as intrusion detection systems (IDSs), intrusion prevention systems (IPSs), data loss prevention (DLP), and antivirus implementations
Security as a Service (SECaaS)
A centralized group that deals with security issues within an organization or enterprise. It is responsible for the monitoring, reporting, and handling of security incidents. This is done at both a technical and organizational level and touches all information assets within the organization
Security Operations Center
A computing system or application that processes data
service
A document agreed upon between a customer and a service provider that defines and maps out minimum performance standards for a variety of contract requirements. An SLA typically includes minimum standards for processes, uptime, availability, security, auditing, reporting, customer service, and potentially many other requirements
Service Level Agreement (SLA)
An organization that provides IT services and applications to other organizations in a sourced manner
Service Provider (SP)
A system of providing IT applications and data services to other components through communications protocols over a network, independent of any particular technology, system, provider, or implementation
Service-Oriented Architecture (SOA)
A proven methodology for developing business-driven, risk and opportunity focused security architectures, at both the enterprise and solutions levels, that traceably support business objectives. Widely used for information assurance architectures and risk management frameworks. Composed of a series of integrated frameworks, models, methods, and processes and can be used independently or as a holistic, integrated enterprise solution
Sherwood Applied Business Security Architecture (SABSA)
A messaging protocol that is operating system agnostic and used to communicate with other systems through HTTP and XML
Simple Object Access Protocol (SOAP)
The monetary value assigned to the occurrence of a single instance of risk or exploit to an IT Service, application or system
SLE (Single Loss Expectancy)
Audit and accounting reports, focused on an organization’s controls, that are employed when providing secure services to users
SOC 1/SOC 2/SOC 3
The capability provided to the customer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or program interface. The consumer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, storage, and individual application capabilities, with the possible exception of limited user-specific application settings
Software as a Service (SaaS)
An automated process that scans a codebase to identify any code that is from an open source package or repository It is crucial for both security and license compliance.
Software composition analysis (SCA)
An approach to separate the network configurations for the control plane and the data plane. This allows an abstraction for network administrators to configure and control those aspects of the network important to modern systems and applications without having to get involved with the actual mechanisms for forwarding network traffic
software-defined networking (SDN)
A defined period of time for development to be accomplished with a running list of deliverables that are planned one sprint in advance
Sprint
A method used by malicious actors to insert SQL statements into a data-driven application in various input fields, attempting to get the application to access arbitrary code and return the results to the attacker. This could include attempts to access a full database or the protected data within it or to modify or delete data.
SQL Injection
Security testing of applications by analyzing their source code, binaries, and configurations. This is done by testers who have in-depth knowledge of systems and applications, with the testing performed in a nonrunning state
Static Application Security Testing (SAST)
A cloud service where the provider offers storage space and solutions on a subscription service. Cloud customers incur costs based on the amount of storage that is consumed or reserved.
Storage as a Service (STaaS)
One or more cloud customers who share access to a pool of resources
tenant
An open enterprise architecture model intended to be a high-level approach that design teams can use to optimize success, efficiency, and returns throughput to a systems’s lifecycle
The Open Group Architecture Framework (TOGAF)
The process of replacing and substituting secured or sensitive data in a data set with an abstract or opaque value that has no use outside of the application
tokenization
A program or application used to trick a user or administrator into executing an attack by disguising its true intention
Trojan
The security concept of separating systems and data into different levels (or zones) and applying security methods and practices to each zone, based on the requirements of that particular group of systems. In many instances, zones of a higher degree of trust may access those with a lower degree, but not vice versa
trust zones
a contract negotiated and agreed upon between an organization and an external service provider or vendor
underpinning contract (UC)
the optimization of cloud computing resources for a particular stack or vertical, such as a specific type of application or system, or by a particular industry sector or need
vertical cloud computing
a computing environment that is a software implementation running on a host system, versus a physical hardware environment
virtual host or virtual machine
Facilitates the extension of a private network over public networks, and it enables a device to operate as if it were on the private network directly. Works by enabling an encrypted point-to-point connection from a device into a private network, typically through software applications, but this also can be done via hardware accelerators
virtual private network (VPN)
A type of rootkit installed in a virtualized environment between the underlying host system and the virtual machine. It is then executed and used when the virtual machine is started. Very difficult to detect in an environment, but also very difficult to successfully implement
VM-based rootkit (VMBR)
a more typical or standard file system used with IaaS that provides a virtual partition or hard disk to a virtual machine. It can be used just like a traditional hard drive would be, with a file system, folders, and file organization methods
volume storage
a traditional development methodology where projects are divided into phases that must be fully developed, tested, approved, and implemented before moving onto the next phase
waterfall
an appliance or software plug-in that parses and filters HTTP traffic from a browser or client and then applies a set of rules before the traffic is allowed to proceed to the actual application server
web application firewall (WAF)
a web-based application that provides tools, reporting, and visibility for a user into multiple systems. In a cloud environment, this provides metrics and service capabilities to add or expand for the customer to consume.
web portal
an appliance implemented within a network to secure and manage XML traffic. It is particularly used within a cloud environment to help integrate cloud-based systems with those still residing in traditional data centers.
XML appliance
A reference in the developer’s code to data on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network.
XML external entity
