Glossary A Flashcards
(191 cards)
Expanding on functional testing to include operations outside of the intended use of an application in order to test for security flaws or application stability problems
Abuse case testing
Modern approach to development that uses an iterative process of “sprints” to segment coding and features into manageable chunks
Agile
Value derived by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). ALE = SLE x ARO
ALE (annualized loss expectancy)
A tool that sits between client systems and the back-end services they call via API requests in order to serve as a reverse proxy for security and performance capabilities
API Gateway
A set of functions, routines, tools or protocols for building applications. Allows for interaction between systems and applications that can be leveraged by developers as building blocks for their applications and data access through a common method, without custom coding for each integration
Application Programming Interface (API)
Estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year
ARO (Annualized rate of occurrence)
A threat-modeling approach composed of Architecture, Threats, Attack Surfaces, and Mitigations
ATASM
The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance
Auditability
The process of evaluating credentials presented by a user, application, or service to prove its identity as compared to values already known and verified by the authentication system
Authentication
The process of granting or denying access to a system, network, or application after successful authentication has been performed, based on approved criteria set by policy or regulation
Authorization
Means or method of accessing a system or application while bypassing the typical and required authentication and authorization methods. Can be unauthenticated methods discovered by malicious actors to get into a system, or they can be methods purposefully employed by developers or support staff to access systems for maintenance or other support activities. Created by developers or hackers.
Backdoor
Part of the change management process, which establishes an agreed-upon standard configuration and the attributes that comprise it and forms the basis for managing change from that point forward
Baseline
Heavily fortified system that serves as a jump box or proxy between an untrusted network and trusted networks
bastion host
Refers to collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them. Often applied in regard to predictive analysis and user analytics of data sets rather than referring to a specific size of the data involved.
Big Data
The practice of allowing employees of an organization to use their own computers, phones, tablets or other electronic resources to access official computing resources, rather than using devices provided and supported by the organization.
Bring your own device (BYOD)
The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or a disruption of service
Business Continuity
A process designed to identify risks, threats, and vulnerabilities that could disrupt or impact services, with the intent of determining mitigation strategies and response processes should they occur
Business continuity management
A developed and tested document, containing information from stakeholders and staff, for the continuation of operations and services in the event of a disruption or incident
Business continuity plan
A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption
Business Impact Analysis (BIA)
Formal documentation showing the chronological control and disposition of data or evidence, either physical or electronic. Includes creation, all changes of possession, and final disposition. It is absolutely essential to maintain the integrity of evidence and its admissibility in legal proceedings.
Chain of custody
Group that assists the change team and change management process by evaluating, prioritizing, and approving change requests
Change Advisory Board (CAB)
Individual with a role in the change management process who ensures the overall change process is properly executed. This person also directly handles low-level tasks related to the change process.
Change Manager
A software tool or service that sits between cloud resources and the clients or systems accessing them. It serves as a gateway that can perform a variety of security and policy enforcement functions. Can consolidate and perform the functions of firewalls and web application firewalls as well as provide authentication and data loss prevention capabilities.
Cloud Access Security Broker (CASB)
Application that is never installed on a local server or desktop but is instead accessed via network or the Internet. Merges the functionality of a local application with the accessibility of a web-based application
Cloud Application