These library resources require an Ounce Labs ID. Log in or register.

Software Security Assurance Glossary

Application Vulnerabilities - Web application security vulnerabilities fall into two categories: coding errors and design flaws.

Automated Source Code Analysis - Source code analysis has historically been an effective but timely and costly manual process that has become more achievable due to the emergence of automated tools. These source code analysis tools improve the process of manual review, making it practical and effective to achieve significantly higher levels of accuracy.

COBIT - Control Objectives for Information and related Technology, a widely recognized framework for information, systems, and technology controls, compliance, and auditing.

COCOMO - Constructive Cost Model - academic model for man-hour costs of software development, stating "A bug that costs $1 to fix in the design phase will cost $100 to correct in the field.

Code Audit - Source code audit should address measurement of vulnerabilities against prescribed standards for security and risk management, testing of software applications for the existence of security vulnerabilities, management of software security vulnerabilities in the system design, development, maintenance, and change management process, and management of software security in all outsourced systems and programming processes.

Coding Errors - Coding errors are programming flaws related to input validation, unbounded parameters and encoding.

Contextual Analysis™ - This patent pending technology allows for automated analysis of source and byte code and enables Ounce to understand the complex interrelationships between individual calls, modules, inputs and outputs, security mechanisms, and processes.

COSO - COSO refers to the Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (also known as the Treadway Commission). The COSO "Internal Control Integrated Framework" is a recognized formal model for compliance with the Sarbanes-Oxley act. See www.coso.org.

Design Flaws - Web application design flaws consist of insecure implementation of the Java security model, improper logging and error handling and unsupported APIs.

DIACAP - Defense Information Assurance Certification and Accreditation Process, extending the work begun by DITSCAP.

DITSCAP - Defense Information Technology Security Certification and Accreditation Process.

FFIEC - Federal Financial Institutions Examination Council - establishes IT guidelines for fin. services companies, including "where possible, financial institutions should use software that has been subjected to independent security review..."

FISMA - The Federal Information Security Management Act of 2002 applies to all government agencies and sets forth broad-based security guidelines for each agency to follow.

GLBA - Gramm-Leach-Bliley Act, signed into law on November 12, 1999. Compliance with GLBA 501(b) requires thorough analysis of the systems on which financial organizations run, and the guidance given by the FTC and the FFIEC includes specific software analysis requirements.

HIPAA - Health Insurance Portability and Accountability Act of 1996 - designed to guarantee patient privacy rights, and to enforce healthcare organizations' responsibility for keeping that data private.

ISO/IEC 17799 - Although called an international standard, ISO/IEC 17799 is actually classified as a "Code of practice for information security management."

Manual Code Review - A labor-intensive process of scrutinizing source code to locate possible areas of vulnerability, as well as architectural and functional flaws, usually performed by a team of highly trained security and programming experts. Gartner estimates there are only 500 software engineers worldwide with the skill and knowledge necessary to efficiently scan code for security problems.

NIAP - National Information Assurance Partnership - NIST/NSA initiative for evaluating Information Technology Security Products.

NIST - National Institute of Standards and Technology.

OWASP Top 10 - Top web application vulnerabilities that provide a minimum standard for web application security. This list of vulnerabilities was developed by members of the Open Web Application Security Project.

Patch Management - Automated patch management tools provide an efficient way for administrators to keep track of the massive number of security updates released for applications under their responsibility.

PCI Standard - Payment Card Industry Data Security Standard - set of requirements set by Visa and MasterCard for partners with access to credit information to develop and maintain secure systems and applications and to prevent "common coding vulnerabilities in software development processes."

Penetration Testing - Penetration testing and scanning are techniques to analyze networks for faulty and poorly configured services, applications, and operating systems, which would permit unauthorized access to a Web application.

Ounce Solution - Ounce software security solution identifies, manages, and addresses application security vulnerabilities before they can become liabilities. Ounce scans C++, C, Java, JSP, J2EE, J2SE, JDBC, STRUTS, JAAS source code on Windows, Linux, Solaris and AIX development platforms and Windows, Linux and Solaris runtime platforms.

Sarbanes-Oxley - The Sarbanes-Oxley Act of 2002 (SOx) (sections 302 and 404) requires management to evaluate and report on the effectiveness of disclosure controls and procedures with respect to the quarterly and annual reports, and to develop and monitor procedures and controls for making their required assertion about the adequacy of internal controls over financial reporting, as well as the required attestation by an external auditor of management's assertion.

SB1386 - CA Senate Bill 1386 (California Database Security Breach Notification Act) - common name for legislation that requires companies with CA customers to publicly disclose any suspected breach of personal customer data. The official name is actually California Civil Code 1798.

Secure Programming - Utilizing secure programming best practices helps prevent web application vulnerabilities. Most web application vulnerabilities are caused by coding errors and application design flaws.

SmartTrace™ - SmartTrace presents a graphical, interactive trace of tainted data through an application and helps instantly identify and address the most dangerous source of web application vulnerabilities.

Software Risk Management - With 94% of IT security risks coming from software (National Institute of Standards and Technology), it is imperative that enterprises assess, measure, and manage their software risk.

Software Security Assurance (SSA) - Software security assurance is a combination of people, process, and technology employed to manage the organizational risk presented by off-the-shelf, open source, and custom software. For more information, consult "Software Security Assurance: A Framework for Software Vulnerability Management and Audit" by Charles Le Grand.

Software Security Metrics - Measuring the extent of software security vulnerabilities involves not only occurrence but also the severity of potential consequences of exploits. Location and type of vulnerability contribute to the seriousness more so than number of vulnerabilities. See V-Density.

Source Code - When humans write programs, they write them in "source code" using a programming language like C, C++, Java and others. Source code is compiled into object code that can be installed and processed on a computer. Common errors in programming result in security vulnerabilities.

Source Code Review - The only way to truly eliminate web application vulnerabilities is through code review - manual or automated, which allows to attack vulnerabilities where they originate: in the source code itself.

STIGs - Security Technical Implementation Guidelines - security configuration guidelines created by DISA for DoD systems.

V-Density - The key metric at the heart of the Ounce solution is V-Density™ (vulnerability density), a numerical expression that enables a consistent, reliable, precise way to evaluate the vulnerability of your applications. V-Density is calculated by relating the number and criticality of vulnerabilities to the size of application or project being analyzed.