Glossary

Learn more about the language of software security.

If you don’t see a term defined on this page, refer to one of the governmental or industry standards cited in the References.

The definitions included in this page may vary from the cited standards, based on how we configure and use Cobalt software.

Agile Pentest

An Agile Pentest focuses on code changes or a specific area of an asset and comes with an Automated Report intended for internal use. Learn more about the pentest types.

Allowlist

An allowlist explicitly lets identified systems access. In networks, an allowlist can specify IP addresses. You can typically find allowlists and denylists in files like /etc/hosts.allow and /etc/hosts.deny.

API Endpoint

An endpoint is typically a URL used to allow two software applications to communicate with each other. For example, https://api.cobalt.io/orgs is one endpoint that you can find at https://docs.cobalt.io.

Some endpoints include additional information that may make them seem different. For example, the following two URLs are in fact the same endpoint, as the content after the ampersand (&) describes an action on data sent from that URL:

  • example.com/endpoint1&_prettyPrint=true
  • example.com/endpoint1&_prettyPrint=false

Asset

For pentests, an asset is a software component of value. Cobalt can perform pentests on assets in the following categories:

  • Web apps
  • External networks
  • Internal networks
  • Mobile apps
  • APIs
  • Cloud configuration (AWS, Azure, GCP)

Application Security (AppSec)

Application security is the practice of using security software, hardware, techniques, best practices, and procedures to protect computer applications from external security threats. Source: TechTarget.

Application Security Verification Standard (ASVS)

The OWASP Application Security Verification Standard (ASVS) relates to pentests of web application technical security controls.

Attacker

Sometimes also known as a Threat Actor, Malicious Hacker, “Black-hat Hacker,” or “Cracker.” May be an individual, a group, or even a nation-state. Specified as “attacker” in Cobalt pentest reports.

Attestation Letter

The Attestation Letter is a one-page report that you can share with external stakeholders such as prospects or customers. We base the letter on our Executive Summary. You cannot customize an Attestation Letter.

Automated Report

An Automated Report is a system-generated report for an Agile Pentest intended for internal use. You cannot customize an Automated Report. Learn more about pentest reports.

Black Box Testing

Where the pentester has no knowledge of the internal details of the asset. Contrast with gray box and white box testing.

Also known as “opaque box testing.”

Center for Internet Security (CIS)

The Center for Internet Security is an independent nonprofit organization which develops and refines best practice security solutions.

One of the test criteria used by our pentesters is CIS Controls v8, released in 2021.

Cobalt Users

When using the Cobalt UI, you may encounter a variety of different users, in the following roles:

  • Organization Roles: If you’re a Cobalt customer, your account may have one or more of the following roles:

    • Organization Owner
    • Organization Member
    • Pentest Team Member
  • Pentester Roles: Cobalt pentesters who are assigned to your pentest have one of two roles:

    • Lead
    • Pentester

    Some Cobalt pentesters may be a Lead in one test, a Pentester in a second test, and possibly no role and no involvement in your other pentests.

Select Cobalt employees may be assigned as administrators, as Cobalt Staff.

You can review a list of permissions associated with each organization role in the following article: What do the user roles mean?.

Organization Owner

In the Cobalt UI, you’ll see this user role as “Owner”. Users in that role can:

  • Manage users and settings
  • Create and edit assets and pentests
Learn more.

Organization Member

In the Cobalt UI, you’ll see this user role as “Member”. Users in that role can:

  • View users and settings
  • Create and edit assets and pentests
Learn more.

Pentest Team Member

A Pentest Team Member is a customer (organization) representative during a specific pentest. That user can review and respond to each finding identified by a Cobalt Pentester or Pentest Lead.

That Pentest Team Member can also add one or more users as a Pentest Team Member.

A Pentest Team Member does not have to be an Organization Owner or an Organization Member.

Pentest Lead

A Pentest Lead is a Cobalt pentester who leads other Cobalt pentesters in their efforts to test an asset. When applicable, the Pentest Lead also drafts the pentest report (for Comprehensive Pentests).

Pentester

A Pentester is a Cobalt pentester who works with a Pentest Lead to test a specific asset.

Cobalt Staff

Cobalt Staff members may help you manage the users in your organization. They may also help manage work on your pentests.

Compliance Audit

As defined by NIST, a comprehensive review of an organization’s adherence to governing documents such as whether:

  • A Certification Practice Statement satisfies the requirements of a Certificate Policy
  • An organization adheres to its Certification Practice Statement

Comprehensive Pentest

A Comprehensive Pentest is performed for security audit, compliance audit, or customer attestation and includes comprehensive reports intended for external stakeholders. Learn more about Comprehensive Pentests.

Environment

In the context of a Cobalt pentest, you can specify one of three options for an environment:

  • Production (for end users)
  • Staging (proposed future production environment)
  • Development (asset in work)

Finding

A potential security flaw in an app or physical hardware. We include findings in vulnerability reports, as something that a threat actor can exploit.

When you select Full Report + Finding Details, we add a detailed list of findings to your report, which includes:

  • Vulnerability Type
  • Description
  • Affected URLs
  • Proof of Concept of the vulnerability
  • Severity
  • Suggested Fix

GraphQL Mutation

For more information, see https://graphql.org/learn/queries/#mutations

Gray Box Testing

Where the pentester has limited knowledge of the internal details of the asset. Contrast with white box and black box testing.

Also known as “translucent box testing.”

Jump Box

Also known as a jump host or a jump server, a jump box is a system (typically) on an internal network or a DMZ. Jump boxes are used to access and manage devices in a separate security zone.

Where the pentester has limited knowledge of the internal details of the asset. Contrast with white box and black box testing.

Known Vulnerability

A “well-known” security vulnerability. Documented in a security bulletin or a CVE (Common Vulnerabilities and Exposures) from MITRE.

In Cobalt pentest reports, you may see this as a published or documented vulnerability.

Mitigate

To apply preventative measures. Based on problems identified by a pentest or incident report. Examples:

  • Install security updates on potentially affected servers
  • Review and update a codebase for issues identified on specific files

Contrast with remediate. This reflects how we use mitigate at Cobalt, and differs slightly from the NIST definition of mitigate.

Mobile Screen

A mobile screen is what you see on a mobile device, such as an iPhone or an Android system. As described by Codepath, mobile screens fall into several archetypes.

You may have multiple screens of an archtype. For example, you may have 10 mobile screens for the onboarding archtype.

Multi-factor Authentication

Authentication which uses two or more different factors, which may include:

  • Something you know, such as a password or a PIN number
  • Something you have, such as an identity token
  • Something you are, which works with biometric authentication

Open Web Application Security Project (OWASP)

OWASP is a nonprofit foundation with “Top 10” security issues for different asset types, including Web apps, APIs, and Cloud systems.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM tests the operational security of physical locations, human interactions, and all communications on the network, whether they be wireless, wired, analog, or digital.

Operations Security (OpSec)

Operations Security, commonly known as OpSec, identifies critical information, and if/how it may be used by opponents or enemies. OpSec measures can reduce security risks.

Pentest

Short for penetration test. As described in the Getting Started Guide, you can draft a pentest. Once you submit it for review, Cobalt reviews your pentest and assigns a Pentest Lead and frequently one or more Pentesters who then test the asset specified in your pentest.

Pentest as a Service (PtaaS)

Combines manual and human testing with a modern delivery platform to deploy penetration testing programs.

Pentest Report

A summary of all vulnerability reports, including observations on positive security measures. Target audiences: executives, security engineers, and developers. Includes:

  • Executive Summary
    • Describes tests performed with criteria
  • Executive Analysis
    • High-level summary of vulnerabilities
  • Scope of Work
    • Target description
    • Environment
    • In-scope Testing Methodologies
    • Assumptions and Constraints
    • Test Methodologies
    • Web app-specific issues (endpoints, fuzzing)
    • Secure test cases
  • Summary of Findings
    • Trends and critical issues
    • Auto-generated graphs
  • Summary of Recommendations
    • Highlights of the work we recommend to remediate findings
  • Post-Test Remediation
    • List of details with type, severity, state, and resolution
  • Finding Details
    • More information on each finding

Within Cobalt, this is also known as a Report or a Final Report. For more information, see Pentest Reports.

Remediate

To fix a vulnerability identified by a pentest or incident report. Examples:

  • Install a security update on an affected server
  • Update directly affected code

Contrast with mitigate. This reflects how we use remediate at Cobalt, and differs slightly from the NIST definition of remediation.

Route (Software)

As defined by Manning, in software, it’s a system for resource navigation. If you’re working in the browser, you might be familiar with routing as it relates to:

  • URLs
  • Resources, such as paths to images and scripts, and so on

If you’re working on the server, matching incoming request paths to resources from a database.

Security Assertion Markup Language

As defined by the Organization for the Advancement of Structured Information Standards (OASIS), the Security Assertion Markup Language (SAML) SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information.

Security Audit

As defined by NIST, an independent review and examination of a system’s records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.

SANS Institute

Original sponsor of a set of standards for testing networks. SANS stands for SysAdmin, Audit, Network, and Security. The SANS Top 20 has been migrated to CIS Controls Version 8.

Single-Page Application

For more information, see https://developer.mozilla.org/en-US/docs/Glossary/SPA

User Role

A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include:

  • Global Administrator (such as a UNIX root user)
  • Administrator
  • Group Owner
  • Workspace Administrator
  • Full User
  • Guest

When scoping a pentest, include a complete list of user roles. If you miss a user role, you may sacrifice quality in penetration testing.

Vulnerability

A security issue discovered during a pentest. Also a specific weakness which can be exploited by a threat actor, such as an attacker who crosses privilege boundaries (and performs unauthorized actions) within a computer system.

Contrast with Known Vulnerability. A vulnerability may be part of a finding.

Vulnerability Management

The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. At Cobalt, we focus on manual pentests (enhanced with automated tools). Also see Vulnerability Assessment and Management, as defined by the US Cybersecurity and Infrastructure Agency (CISA).

Vulnerability Report (Manual)

A document that provides information about one specific finding. Cobalt vulnerability reports are based on manual tests. Such reports include:

  • Step-by-step notes on how the tester identified each vulnerability (when possible)
  • Locations, such as files or hardware
  • Recommendations to remediate

Vulnerability Report (Automated)

A document created by an automated scanning tool. Primarily used to list known vulnerabilities associated with specific code patterns.

Vulnerability Type

How Cobalt classifies the vulnerability. Examples include:

  • Client Side Injection
  • Server Security Misconfiguration > Lack of Password Confirmation
  • Broken Authentication and Session Management

Web Page

A hypertext document on the World Wide Web. Web applications typically include static and dynamic web pages.

  • A static page contains stable content that appears the same for every user who opens the page.
  • A dynamic page includes content that can be customized, either through an application server (server-side) or through code such as JavaScript running in the browser (client-side).

White Box Testing

Where the pentester has full knowledge of the internal details of the asset. Contrast with black box and gray box testing.

Also known as “clear box testing.”

References




Was this page helpful?

Yes No Create an Issue

Last modified October.10.2022