Application Security Glossary
Clear definitions of application security concepts, testing methodologies, and vulnerability types. A reference for developers, security engineers, and engineering leaders.
API Security
The practice of protecting application programming interfaces from attacks and misuse. API security involves authentication, authorization, rate limiting, input validation, and encryption to prevent data breaches and unauthorized access through API endpoints.
Application Security (AppSec)
The process of finding, fixing, and preventing security vulnerabilities in software applications throughout the development lifecycle. AppSec encompasses practices like code review, security testing (SAST, DAST), threat modeling, and secure coding standards.
Learn more about Application Security in Offensive360Attack Surface
The total number of entry points an attacker could use to interact with a system or application. Reducing the attack surface means eliminating unnecessary services, endpoints, and user inputs to lower the risk of exploitation.
Authentication
The process of verifying the identity of a user, device, or system. Common methods include passwords, multi-factor authentication (MFA), biometrics, and token-based approaches like OAuth and JWT. Weak authentication is a frequent source of security vulnerabilities.
Broken Access Control
A category of vulnerability where users can act outside their intended permissions. This includes accessing other users' data, modifying access rights, or performing administrative actions without proper authorization. It is the number one risk in the OWASP Top 10 (2021).
Learn more about Broken Access Control in Offensive360Buffer Overflow
A vulnerability that occurs when a program writes data beyond the allocated memory buffer. Buffer overflows can allow attackers to overwrite adjacent memory, crash programs, or execute arbitrary code. They are most common in C and C++ applications.
CI/CD Security
The practice of securing continuous integration and continuous deployment pipelines. This includes scanning code for vulnerabilities before deployment, managing secrets securely, verifying dependencies, and ensuring that only tested and approved code reaches production.
Learn more about CI/CD Security in Offensive360Code Injection
An attack where an adversary inserts malicious code into a vulnerable application, which then executes it. Unlike command injection, code injection targets the application's own language runtime. Prevention relies on input validation, parameterized queries, and avoiding dynamic code evaluation.
Learn more about Code Injection in Offensive360Command Injection
A vulnerability that allows an attacker to execute arbitrary operating system commands on the server hosting an application. It occurs when user input is passed to system shell commands without proper sanitization. Static analysis tools can detect patterns where user input reaches shell execution functions.
Learn more about Command Injection in Offensive360Cross-Site Request Forgery (CSRF)
An attack that forces authenticated users to submit requests to a web application they are currently logged into, without their knowledge. CSRF exploits the trust a site has in the user's browser. Defenses include anti-CSRF tokens, SameSite cookies, and checking the Origin header.
Learn more about Cross-Site Request Forgery in Offensive360Cross-Site Scripting (XSS)
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can be stored (persistent), reflected (non-persistent), or DOM-based. It enables session hijacking, defacement, and credential theft. Prevention includes output encoding and Content Security Policy headers.
Learn more about Cross-Site Scripting in Offensive360Cryptographic Failure
A vulnerability category covering the misuse or absence of cryptography to protect sensitive data. This includes using weak algorithms, hardcoded keys, insufficient key lengths, and transmitting data in cleartext. Formerly known as "Sensitive Data Exposure" in the OWASP Top 10.
Learn more about Cryptographic Failure in Offensive360CVSS (Common Vulnerability Scoring System)
An open industry standard for assessing the severity of security vulnerabilities on a scale of 0.0 to 10.0. CVSS scores consider factors like attack complexity, required privileges, and impact on confidentiality, integrity, and availability. Scores are categorized as None, Low, Medium, High, and Critical.
CWE (Common Weakness Enumeration)
A community-developed list of common software and hardware weakness types, maintained by MITRE. Each CWE entry describes a class of vulnerability (e.g., CWE-89 for SQL Injection). SAST tools map their findings to CWE identifiers for standardized classification and reporting.
DAST (Dynamic Application Security Testing)
A testing methodology that analyzes a running application from the outside by sending requests and observing responses. DAST simulates real-world attacks against deployed applications without access to source code. It excels at finding runtime issues like authentication flaws and server misconfigurations.
Learn more about DAST in Offensive360Data Flow Analysis
A technique used by SAST tools to track how data moves through an application, from sources (user inputs) to sinks (dangerous functions). Data flow analysis identifies paths where untrusted data can reach sensitive operations without proper sanitization, enabling detection of injection vulnerabilities.
Learn more about Data Flow Analysis in Offensive360Dependency Scanning
The automated process of checking third-party libraries and packages used by an application for known security vulnerabilities. Dependency scanners compare project dependencies against databases like the National Vulnerability Database (NVD) to identify outdated or vulnerable components.
DevSecOps
An approach that integrates security practices into every phase of the software development lifecycle, from planning through deployment. DevSecOps emphasizes automation, shared responsibility for security, and shifting security testing left (earlier) in the development process.
Learn more about DevSecOps in Offensive360Encryption
The process of converting data into an unreadable format using cryptographic algorithms, making it accessible only to parties with the correct decryption key. Encryption protects data at rest (stored) and in transit (transmitted). Common standards include AES for symmetric and RSA/ECDSA for asymmetric encryption.
False Positive
A finding reported by a security tool that incorrectly identifies safe code as vulnerable. High false positive rates waste developer time and erode trust in security tools. Advanced SAST platforms use data flow analysis, AI, and contextual understanding to minimize false positives.
Learn more about False Positive in Offensive360Hardcoded Secrets
Sensitive values such as passwords, API keys, tokens, and cryptographic keys embedded directly in source code. Hardcoded secrets are a common vulnerability because they can be extracted from version control history, compiled binaries, or client-side code. SAST tools detect these patterns automatically.
Learn more about Hardcoded Secrets in Offensive360IAST (Interactive Application Security Testing)
A testing approach that combines elements of SAST and DAST by instrumenting the application at runtime. IAST agents observe code execution during normal testing or usage, providing detailed vulnerability information including the exact code location. It produces fewer false positives than standalone SAST or DAST.
Input Validation
The practice of checking and sanitizing all data received from external sources before processing it. Proper input validation is the first line of defense against injection attacks, buffer overflows, and many other vulnerability classes. Validation should be performed on the server side and use allowlists over denylists.
Insecure Deserialization
A vulnerability that occurs when an application deserializes data from untrusted sources without proper validation. Attackers can manipulate serialized objects to achieve remote code execution, privilege escalation, or denial of service. Languages with native serialization like Java, PHP, and Python are particularly susceptible.
Learn more about Insecure Deserialization in Offensive360LDAP Injection
An attack that exploits applications constructing LDAP queries from unsanitized user input. Attackers can modify LDAP statements to bypass authentication, access unauthorized data, or modify directory entries. Prevention involves parameterized LDAP queries and strict input validation.
Learn more about LDAP Injection in Offensive360OWASP
The Open Worldwide Application Security Project, a nonprofit foundation that produces freely available tools, documentation, and standards for application security. OWASP is best known for the OWASP Top 10 list, but also maintains projects like the ASVS, Testing Guide, and numerous open-source security tools.
OWASP Top 10
A periodically updated awareness document listing the ten most critical web application security risks. The current version (2021) includes Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, and more. It serves as a baseline standard for application security programs.
Path Traversal
A vulnerability that allows attackers to access files and directories outside the intended folder by manipulating file path inputs (e.g., using "../" sequences). Successful exploitation can expose configuration files, source code, and system credentials. Also known as directory traversal.
Learn more about Path Traversal in Offensive360Penetration Testing
A simulated cyberattack performed by security professionals to identify exploitable vulnerabilities in systems, networks, or applications. Unlike automated scanning, penetration testing involves manual exploration, chaining vulnerabilities, and assessing real-world impact. It is typically performed periodically as a complement to continuous automated testing.
Race Condition
A vulnerability that occurs when the behavior of software depends on the timing or sequence of events, and an attacker can interfere with that sequence. In security contexts, race conditions can lead to authentication bypasses, double-spending, and privilege escalation. They are particularly common in multi-threaded and distributed systems.
SAST (Static Application Security Testing)
A white-box testing methodology that analyzes application source code, bytecode, or binaries for security vulnerabilities without executing the program. SAST tools examine code structure, data flow, and control flow to detect issues like injection flaws, hardcoded secrets, and insecure configurations early in development.
Learn more about SAST in Offensive360SCA (Software Composition Analysis)
An automated process that identifies open-source and third-party components in a codebase, maps them to known vulnerabilities, and checks license compliance. SCA is essential for managing supply chain risk, as most modern applications rely heavily on open-source dependencies.
Secure Coding
The practice of writing software that is resistant to security vulnerabilities by following established guidelines and standards. Secure coding covers input validation, output encoding, authentication, error handling, and cryptographic practices. Standards like OWASP Secure Coding Practices and CERT provide detailed guidance.
Security Misconfiguration
A vulnerability arising from insecure default configurations, incomplete setups, open cloud storage, verbose error messages, or unnecessary services. It is one of the most common issues found in web applications and cloud environments. Automated configuration scanning and infrastructure-as-code review help prevent these issues.
Server-Side Request Forgery (SSRF)
A vulnerability that allows an attacker to make the server-side application send requests to unintended locations, such as internal services, metadata endpoints, or other backend systems. SSRF can lead to internal network scanning, data exfiltration, and in cloud environments, access to instance metadata credentials.
Learn more about Server-Side Request Forgery in Offensive360SQL Injection
A code injection technique that exploits applications constructing SQL queries from unsanitized user input. Attackers can read, modify, or delete database contents, bypass authentication, and in some cases execute operating system commands. It remains one of the most prevalent and dangerous web application vulnerabilities.
Learn more about SQL Injection in Offensive360Supply Chain Security
The practice of securing all components, tools, and processes involved in building and delivering software. This includes vetting open-source dependencies, securing build pipelines, verifying package integrity, and monitoring for compromised libraries. High-profile incidents like SolarWinds and Log4Shell have elevated its importance.
Taint Analysis
A specialized form of data flow analysis that tracks "tainted" (untrusted) data from user-controlled inputs through the program to security-sensitive operations. If tainted data reaches a dangerous function without passing through a sanitizer, the tool reports a vulnerability. It is a core technique in modern SAST engines.
Learn more about Taint Analysis in Offensive360Threat Modeling
A structured process for identifying potential security threats, vulnerabilities, and attack vectors in a system during the design phase. Frameworks like STRIDE, PASTA, and attack trees help teams systematically evaluate risks and prioritize mitigations before writing code.
Vulnerability Assessment
The systematic process of identifying, quantifying, and prioritizing security vulnerabilities in a system or application. Unlike penetration testing, vulnerability assessments focus on breadth of coverage rather than depth of exploitation. Automated tools like SAST and DAST scanners are key components of vulnerability assessment programs.
Learn more about Vulnerability Assessment in Offensive360XML External Entity (XXE)
A vulnerability in applications that parse XML input, where an attacker defines external entities that can read local files, perform server-side request forgery, or cause denial of service. XXE is prevented by disabling external entity processing in XML parsers and using less complex data formats like JSON where possible.
Learn more about XML External Entity in Offensive360Zero Day
A previously unknown vulnerability that is exploited before the software vendor has released a patch. The term "zero day" refers to the fact that developers have had zero days to fix the issue. Proactive security measures like SAST, strong input validation, and defense in depth help mitigate the risk of zero-day exploitation.
Zero Trust
A security model based on the principle of "never trust, always verify." Zero trust assumes no implicit trust for any user, device, or network, regardless of location. Every access request is fully authenticated, authorized, and encrypted before being granted. It is increasingly adopted for both network and application security.
Missing a term?
Application security is a rapidly evolving field. If you think we should add a term to this glossary, let us know.
Suggest a TermSee how Offensive360 detects these vulnerabilities
Our SAST and DAST platform covers the full spectrum of application security risks.