Everyone in the IT industry should be aware of software security basics. It doesn’t matter if you’re a developer, system engineer, or product manager; security is everyone’s responsibility. Here’s your guide to essential software security terms.
In computer security, a security issue or vulnerability is a weakness or flaw which allows malicious users to perform unauthorized actions. For example, SQL Injection is a vulnerability that can be used to run SQL commands on the database.
An exploit is a piece of code or commands. Exploits can compromise the systems or data of an organization. Malicious users take profit from vulnerabilities using exploit tactics.
A security incident is the event of an unauthorized action, like a breach in the system. It is often the result of the successful exploitation of a vulnerability.
A zero-day attack is exploiting a zero-day vulnerability; a zero-day vulnerability is an unknown weakness. It’s unexplained to the vendor of the target application or others who are interested in fixing it.
Confidentiality, Integrity, and Availability of data is the CIA triad. Balanced protection of the CIA is the main focus of information security.
In simple terms, the security risk is the probability and impact of a security incident. In software security, the impact is determined by the effect of the security incident on the CIA triad.
Vulnerability management is an always ongoing cycle of identifying, prioritizing, remediating software vulnerabilities. Vulnerability management is a must-have process for any organization as part of its information security program.
Vulnerability assessment is the process of identifying and prioritizing the vulnerabilities in software systems.
Vulnerability scanning refers to identifying vulnerabilities in computer systems. It can be done manually or using automated tools called vulnerability scanners.
A penetration test -- or pen test -- is a test for evaluating the security of the system. A pen test or ethical hacking is an authorized attack. Unlike vulnerability assessment, a penetration test tries to exploit vulnerabilities for better estimation of the risk. A penetration tester also finds the strength of the system. The results of a penetration test can be used to complete a full risk assessment.
The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The most famous project of the OWASP is the OWASP Top 10. It’s a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Information Security Management System (ISMS) is how an organization is managing the security of its data. It consists of processes, policies, and controls to protect overall information security. The ISO/IEC 27001 is widely known for providing requirements for ISMS.
A threat actor, or malicious user, is the one responsible for a security incident.
Attack surface or attack vector is where an attack can be started. For example, an online email subscription form on a website is an attack surface. Other examples are zero-day vulnerabilities, lack of encryption, or misconfigurations.