This section explains the language of secure software: common app-security flaws, testing approaches, secrets handling, and secure-development concepts.
Use it when the security issue lives in the application or development process rather than the network alone.
- API Security
API security is the application-security discipline focused on protecting interfaces, tokens, data flows, and backend actions from unauthorized access, abuse, and misuse.
- Broken Access Control
Broken access control is an application-security failure in which a system does not correctly enforce what an authenticated user, service, or tenant should be allowed to access or change.
- Command Injection
Command injection is an application flaw in which untrusted input reaches operating-system command execution in ways that let the application lose control over what the host actually runs.
- Common Weakness Enumeration
Common Weakness Enumeration is a standardized catalog of software weakness types used to classify recurring design, implementation, and architecture problems in security terms.
- Content Security Policy
Content Security Policy is a browser-enforced security mechanism that restricts which content sources a page may load or execute and helps reduce the impact of unsafe script behavior.
- Cross-Site Request Forgery
Cross-site request forgery is a web-application flaw that tricks a user's authenticated browser into sending an unintended request.
- Cross-Site Scripting
Cross-site scripting is a web-application flaw that allows untrusted content to run in a user's browser in the context of a trusted site.
- Dynamic Application Security Testing
Dynamic application security testing evaluates a running application from the outside to identify security weaknesses in behavior and exposed functionality.
- Input Validation
Input validation checks incoming data against expected rules so applications handle untrusted input more safely.
- Insecure Direct Object Reference
Insecure direct object reference is an access-control failure where an application exposes object identifiers without enforcing whether the requester should be allowed to use them.
- Output Encoding
Output encoding prepares untrusted data for a specific output context so it is treated as content rather than executable code or unsafe markup.
- Rate Limiting
Rate limiting is a defensive control that restricts how quickly or how often a client can perform requests or actions within defined thresholds.
- Runtime Application Self-Protection
Runtime application self-protection monitors application behavior from inside the running application and can help detect or block suspicious activity in context.
- Secrets Management
Secrets management is the practice of securely storing, distributing, rotating, and controlling access to sensitive credentials and cryptographic material.
- Secrets Scanning
Secrets scanning is the process of searching code, repositories, builds, or logs for exposed credentials and other sensitive secret material.
- Secure Coding
Secure coding is the practice of writing software in ways that reduce common security flaws and make applications safer to operate.
- Server-Side Request Forgery
Server-side request forgery is a flaw where an application can be tricked into making unintended requests to other systems on behalf of the attacker.
- Session Hijacking
Session hijacking is the unauthorized takeover or misuse of a valid application session so an attacker can act as an authenticated user without repeating the normal login flow.
- Session Management
Session management is how an application creates, maintains, and ends authenticated user sessions safely over time.
- Software Bill of Materials
A software bill of materials is a structured inventory of the components, libraries, packages, and dependencies that make up a software product from a supply-chain perspective.
- Software Composition Analysis
Software composition analysis identifies and evaluates third-party components and dependencies so known security risk in the software supply chain can be managed.
- SQL Injection
SQL injection is an application flaw that lets untrusted input interfere with database queries in unintended and dangerous ways.
- Static Application Security Testing
Static application security testing analyzes source code or related artifacts for security weaknesses without executing the application.
- Threat Modeling
Threat modeling is the design-time process of identifying what could go wrong in a system, where trust boundaries exist, and which controls should reduce the most meaningful risks.