Web Security: Glossary of Terms
By Viktor Petersson
Siteimprove Web Security uses a range of specific terms and explanations as part of the guidance provided. Below you’ll find a glossary of some of the key terms used within the Web Security module, as well as recommendations on how some of these concepts are applied.
Access Control Lists (ACLs) are tables of rules that specify which users, groups, or enterprise roles have permission to interact with a content item, as well as which types of actions are allowed to be applied to an object or item. In regard to cloud storage, ACL is often used to determine specifics permissions for specific buckets of data.
A cipher algorithm is a framework used to encrypt data so that only those with the corresponding keys can access the data provided. Examples of these use cases include login solutions (protecting sensitive login details) and file transfers.
There are a number of different cipher algorithms available for encryption use. Many of them are older, and less complex, which can mean that they are more easily compromised by somebody looking to gain access to the data. Most modern ciphers try to combine high-speed encryption with a high degree of security. An example of this is AES (Advanced Encryption Standard) which is trusted by the U.S. Government amongst others.
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a public dictionary of known and disclosed cybersecurity vulnerabilities. The goal of CVEs is to make it easier to share knowledge and insights on known weaknesses, vulnerabilities, and exposures in order to make it easier to ensure a high degree of security. CVE is sponsored and maintained by, amongst others, the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA).
In Siteimprove Web Security, a CVE will refer to a specific known vulnerability that’s yet to be patched out or fixed in your web application or server setup. In doing so, it becomes much easier to ensure that you avoid being the target of known weaknesses.
Content Security Policy (CSP)
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.
CSP is designed to be fully backward compatible. Browsers that don't support it still work with servers that implement it, and vice-versa: browsers that don't support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.
Cross-site scripting (XSS)
Cross-site scripting (XSS) is a security exploit that allows an attacker to inject into a website malicious client-side code. This code is executed by the victims and lets the attackers bypass access controls and impersonate users.
These attacks succeed if the Web app does not employ enough validation or encoding. The user's browser cannot detect the malicious script is untrustworthy, and so gives it access to any cookies, session tokens, or other sensitive site-specific information, or lets the malicious script rewrite the HTML content.
The DNS resolver is the first stop in the DNS lookup, and it is responsible for dealing with the client that made the initial request. The resolver starts the sequence of queries that ultimately leads to a URL being translated into the necessary IP address.
Open DNS resolvers that allow queries from all IP addresses and are exposed to the Internet can be attacked and used to conduct Denial of Service (DoS) attacks on behalf of the hacker.
Elasticsearch is a distributed, open-source search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene and was first released in 2010 by Elasticsearch N.V. (now known as Elastic).
In order to ensure that your Elasticsearch service does not become a security liability, it’s considered best practice to ensure that you encrypt all data within your Elasticsearch cluster, do not expose the cluster to the internet without precautions, and implement strict access controls.
End-of-life (EOL) is a term used for a product supplied to customers, indicating that the product is at the end of its useful life from the vendor's point of view. Vendors usually stop selling, marketing, and supporting products once they reach EOL status.
With End-of-Life technology, patches, bug fixes, and security upgrades automatically stop. As a result, your product security is essentially at a dead halt.
End-of-service (EOS) is a term used for products that vendors do not intend to keep updating and supporting. It’s similar to End-of-Life services listed above, however usually EOS occurs prior to End-of-Life.
Just as with End-of-Life services and products, using products beyond the End-of-service point can have serious security implications, as new vulnerabilities are not guaranteed to be patched by the vendor in question.
FTP service is a Microsoft Windows service on servers running Microsoft Internet Information Services (IIS). The FTP service supports the Internet standard File Transfer Protocol (FTP) and allows users to upload and download files between FTP clients and FTP servers such as IIS.
The HTTP Strict-Transport-Security response header (HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack.
The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
HTTPS (HyperText Transfer Protocol Secure) is an encrypted version of the HTTP protocol. It uses SSL or TLS to encrypt all communication between a client and a server. This secure connection allows clients to safely exchange sensitive data with a server, such as when performing banking activities or online shopping.
IMAP (Internet Message Access Protocol) offers you the possibility to directly manage your emails on the email server. This means that if you set up your account as an IMAP account in your email program, your incoming emails will no longer be directly downloaded to your end device; rather, you will only receive a list of the messages with subject lines. The message will only be completely loaded once you open a message.
IMAP services have a series of known security issues, the largest of which is the fact that they accept login credentials in plaintext.
A message authentication code (MAC) is a block of a few bytes used to authenticate a message. The receiver can check this block and be sure that the message hasn't been modified by the third party.
There are a number of different algorithms available to generate MACs, including HMAC, GCM, and CBC-MAC.
Malware (Malicious software) is a program designed to damage the operation of a system, steal data, or gain unauthorized access to a network. Common types of malware are viruses, worms, trojans, botnets, ransomware, and crypto-miners.
A malware event refers to specific activity tied to how malware functions – examples of this include a read-receipt of a malicious email, a user clicking a malicious link, or a compromised machine making a callback to a command-and-control node somewhere.
In Siteimprove Web Security, active malware events will indicate that users or machines within your organization have been interacting with malware. If not attended, this could indicate imminent security risks that should be reviewed by your IT or security team. The severity of each malware event is determined by how recently the event was found. Web Security scans for Malware events (1).
MySQL is an open-source relational database management system. MySQL has a number of known and patched vulnerabilities, which you should make sure to apply to your setup. There are also a series of steps you can take to ensure high security in your MySQL setup, including root passwords, deletion of test accounts, and databases, amongst others.
Patching Cadence refers to how often an organization reviews systems, networks, and applications for updates that remediate security vulnerabilities. Every endpoint, whether it’s a server or a mobile device, runs on software created by code that can create backdoors which cybercriminals use to gain access to an organization’s IT ecosystem.
Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions on how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in the form of cryptocurrency.
The term web server can refer to hardware or software, or both of them working together.
On the hardware side, a web server is a computer that stores web server software and a website's component files.
On the software side, a web server includes several parts that control how web users access hosted files. At a minimum, this is an HTTP server. An HTTP server is a software that understands URLs (web addresses) and HTTP (the protocol your browser uses to view webpages)(4).
A sinkhole is a server designed to capture malicious traffic and prevent the control of infected computers by the criminals who infected them.
The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organization can publish authorized mail servers.
SSH is a protocol for securely exchanging data between two computers over an untrusted network. SSH protects the privacy and integrity of the transferred identities, data, and files. It runs on most computers and on practically every server. It ships standard on UNIX, Linux, and macOS machines and it is used in over 90% of all data centers in the world.
The SSH protocol works on the client-server model. The SSH client always initiates the setup of the secure connection, and the SSH server listens for incoming connection requests and responds to them.
Subresource Integrity (SRI)
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.
A website vulnerability is a weakness or misconfiguration in a website or web application that can allow a hacker to gain some level of control over the site, and possibly the supporting host server. Most vulnerabilities are found within the web application or the server systems supporting the application.
Vulnerabilities still represent the largest risk factor in terms of cyberattacks and removing as many of these as possible is a key step in ensuring good cyber health.
A web application is a computer program that uses a web browser to perform a particular function. It is also called a web app. Web apps are present on many websites. A simple example is a contact form on a website. A web application is a client-server program. It means that it has a client-side and a server-side. The term "client" here refers to the program the individual uses to run the application (3).
Website Security Certificate (SSL certificate)
A website security certificate is a digital stamp of approval from an industry-trusted third party known as a certificate authority (CA). More specifically, it's a digital file containing information that's issued by a CA that indicates that the website is secured using an encrypted connection.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.
- How often are the results in Web Security updated?
- What does the Server issue category address?
- Web Security: What does the Web Application issue category address?
Siteimprove Academy courses
The Siteimprove Academy offers scalable learning programs, interactive course content, and actionable outcomes for you and your team. Take advantage of these related online academy courses to get the most out of our products.