Now that we are familiar with the standards, let's now cover the important terminology that we will be using a lot in the upcoming chapters:
- Vulnerability: A weakness in a system that may allow an attacker to gain unauthorized access to it.
- Spoofing: A situation where an individual or program successfully masks data as something else in order to obtain an unlawful advantage.
- Exploit: A piece of code, a program, a method, or a sequence of commands that takes advantage of a vulnerability to gain unauthorized access to a system/application.
- Payload: The actual code that is executed on the system after/during exploitation to perform the desired task.
- Risk: Anything that can affect the confidentiality, integrity, and availability of data. Unpatched software, misconfigured servers, unsafe internet surfing habits, and so on all contribute to risk.
- Threat: Anything that may have the potential to cause serious harm to a computer system, network, or application.
- Black box: A method of testing during which the tester has no information about the internal structure or functioning of a system.
- White box: A method of testing during which the tester has complete knowledge of the internal structure and functioning of a system.
- Bug bounty: A bug bounty program is a deal that is offered by many websites and developers that allows individuals to be honored and rewarded for reporting bugs, particularly those linked to exploits and vulnerabilities.
- SAST: Static application security testing (SAST) is a form of security testing that relies on the inspection of an application's source code.
- DAST: Dynamic application security testing (DAST) is a technique that is used to detect security vulnerabilities in an application in its running state.
- Fuzzing: An automated testing technique in which invalid, unexpected, or random data is provided as input to an application.
Now that we are aware of this important terminology, let's go ahead and learn about testing methodologies.