Everybody in the IT industry should be aware of software security basics.
It doesn't matter if you're a developer, system engineer, or product manager; security is everyone's responsibility.
Here's a guide to essential software security terms.
In computer security, a security issue or vulnerability is a weakness or flaw which allows malicious users to perform unauthorized actions.
For example, SQL Injection is a vulnerability that can be used to run SQL commands on the database. Take a look at the list of web application vulnerabilities for more.
An exploit is a piece of code or commands. Exploits can compromise the systems or data of an organization. Exploits are how malicious users take profit from vulnerabilities.
An event of unauthorized action like a breach in the system is a Security Incident. It is often the result of the successful exploitation of a vulnerability.
A zero-day attack is exploiting a zero-day vulnerability. A zero-day vulnerability is an unknown weakness. It's unexplained to the vendor of the target application or others who are interested in fixing it.
Confidentiality, Integrity, and Availability of data is the CIA triad. Balanced protection of the CIA is the main focus of information security.
In simple terms, the security risk is the probability and impact of a security incident.
In software security, the impact is determined by the effect of the security incident on the CIA triad.
Vulnerability management is an always ongoing cycle of identifying, prioritizing, remediating software vulnerabilities.
Vulnerability management is a must-have process for any organization as part of its information security program.
Vulnerability assessment is the process of identifying and prioritizing the vulnerabilities in software systems.
Vulnerability scanning refers to identifying vulnerabilities in computer systems.
It can be done manually or using automated tools called vulnerability scanners.
SmartScanner is an automated web vulnerability scanner you can use to find vulnerabilities in your website.
a Penetration test or pen test is a test for evaluating the security of the system.
A pen test or ethical hacking is an authorized attack.
Unlike vulnerability assessment, a penetration test tries to exploit vulnerabilities for better estimation of the risk. A penetration tester also finds the strength of the system.
The results of a penetration test can be used to complete a full risk assessment.
The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
The most famous project of the OWASP is the OWASP Top 10. It's a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Information Security Management System (ISMS) is how an organization is managing the security of its data.
It consists of processes, policies, and controls to protect overall information security. The ISO/IEC 27001 is widely known for providing requirements for ISMS.
A threat actor or malicious user is the one responsible for a security incident.
Attack surface or attack vector is where an attack can be started. For example, an online email subscription form on a website is an attack surface. Other examples are zero-day vulnerabilities, lack of encryption, or misconfigurations.