Glossary
B
Black box
The black box is a service where the hacker does not have access to source code or information on the project's infrastructure, having only access to IPs and URLs associated with environments where the project is deployed.
C
CI/CD pipeline
A CI/CD pipeline is a series of organized steps or tasks that, mainly in an automated way, allow the successful and fast release of a new software version. Among the activities that take place are the compilation of the source code, the distribution of packages, the execution of quality and security tests and the deployment to different environments.
Cloud security posture management (CSPM)
CSPM is a set of practices for monitoring and managing security configurations and compliance with standards across cloud resources. It assesses IaC scripts, container images and cloud environments and services to identify misconfigurations, policy violations and other security issues.
Continuous deployment (CD)
The CD is a process that follows the CI. When merged, the different code changes made by developers shape a software product that can be deployed in a test or production environment. Automated procedures are executed to build the product, verify that it meets acceptance requirements and perform a proper deployment at the expected time, often directly to the end users.
Continuous integration (CI)
The CI is a practice in which a development team constantly uploads changes, either additions or removals, to a central repository. Automated procedures are run each time to validate that the modifications made to the code meet predefined requirements and to ensure that they integrate smoothly into the software.
CVSS
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the risks. Scores are calculated based on a formula that depends on several metrics that approximate the ease and impact of exploitation. Scores range from 0 to 10, with 10 being the most severe.
CVSSF
The CVSSF is a metric generated by Fluid Attacks by modifying the CVSS metric, which shows the level of risk exposure represented by the vulnerabilities in your system.
D
Dynamic application security testing (DAST)
DAST is a security testing technique for detecting security vulnerabilities in an application. It assesses the running software without accessing its source code by using various attack vectors in search of unexpected behavior and weaknesses related to its deployment configuration, data and business logic.
H
Health Check
The Health Check is part of Fluid Attacks' Continuous Hacking solution and consists of performing security testing on the software the client developed before purchasing the Advanced plan.
Note: The Health Check is optional, but if it is not executed, parts of the application will not be tested, and, therefore, the possibility of vulnerabilities with the risk of exploitation will remain (in this case, the accuracy SLA does not apply).M
Mailmap
Mailmap is a table on Fluid Attacks' platform that organizes and unifies the different email addresses and names employed by the authors or contributors.
Manual penetration testing (MPT)
MPT is a cybersecurity assessment method in which skilled human testers (aka ethical hackers or pentesters) actively simulate real-world cyberattacks on infrastructure, applications, and other IT systems. MPT primarily aims to identify and exploit vulnerabilities that are out of reach for automated tools.
R
Reverse engineering (RE)
RE is an outside-in process of deconstructing software for analyzing and understanding its design, structure and functionality in depth. In RE, experts (aka reverse engineers) unravel the source code and its components and functions to discover how that specific technology works and whether it has security issues.
S
Software composition analysis (SCA)
SCA is a technique for identifying and analyzing third-party components and dependencies in software. Regarding security, SCA assesses libraries, frameworks, and packages to determine their versions and detect vulnerabilities, conflicting licenses and other software quality issues.
Static application security testing (SAST)
SAST is a security testing technique for identifying security vulnerabilities in an application's source code. It examines the non-running code to look for programming patterns, misconfigurations and insecure practices that attackers could exploit.
T
Target of Evaluation (ToE)
The ToE is the product or system that will be the subject of Fluid Attacks' security testing. It is mainly defined by adding Git repositories and environments in the Scope section of a group on the Fluid Attacks platform.
W
White box
The white box is a service where the hacker has all the information privileges such as Git roots, credentials, source code and environments.