Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

Common Security Related Terms and Concepts

2nd November 2019

General

  • Defense in Depth - A concept of applying security in a layered manner. Whereby if an attacker breaches one layer/obstacle, they have another layer/obstacle to contend with.
  • Least Privileges - Giving the least amount of permissions required to perform actions.

Cryptography

  • Plain Text - The original readable data.
  • Cipher Text - The data which has been encrypted.
  • Symmetric Cipher - Encryption algorithm where the same key is used to both encrypt plain text data into cipher text, as well as decrypt cipher text into plain text.
  • Asymmetric Cipher - Encryption takes place via a public and private key pair. Typically the public key is used to encrypt plain text into cipher text, and the private key is used to decrypt the cipher text into plain text.
  • Public Key Encryption - synonymous with asymmetric ciphers.
  • Hash - A one way cryptography algorithm which takes plain text and hashes it into a hashed value. This hashed value on it's own cannot derive the plain text value.
  • Salt - A random value added to plain text values when performing hashing. This is used to prevent dictionary based attacks.
  • Dictionary Attack - The attacker creates a lookup table of hash values and their known plain text values. This allows the attacker to derive the plain text value of a hash.
  • Entropy - The degree of randomness in an alrorithm. This is important for cryptography, since the more entropy (randomness) an algorithm has, the harder it becomes to crack.

Passwords

  • MFA - Multi-Factor Authentication (also sometimes referred to as 2FA). This applies multiple factors to the authentication process.
  • OTP - One Time Password. This is a form of MFA, where a one time password is used as a factor of authentication. This password is only available for single use.
  • TOTP - Time-based One Time Password. This is derivative of OTP and relies on time for the validity of the password. The password expires after a set period of time and a new password is generated. This is one of the most popular forms of MFA.
  • U2F - Universal 2nd Factor. This is another form of MFA which typically relies on hardware keys.

Software Security

  • SAST - Static Application Security Testing, this is typically software or a system which scans source code attempting to identify security related issues.
  • DAST - Dynamic Application Security Testing, this is typically software or a system which scans applications (typically web based applications) for security related issues.
  • OWASP Top 10 - The top 10 most common vulnerabilities in software. This list is updated on a periodic basis.

View Comments