Standing for “Agence nationale de la sécurité des systèmes d’information” in French, it is the French National Agency for the Security of Information Systems. Created in 2009, this national authority provides its expertise and support to companies and administrations in order to secure digital development. More information on https://www.ssi.gouv.fr/en/.
An Application Programming Interface is a computing interface setting definitions and protocols to define interactions between several software intermediaries.
Automated Regression Testing
The automation of regression testing is a testing practice used in agile methodology or DevOps to quickly fix issues and reach higher quality code.
A black box intrusion test consists in getting into a system without having any previous information or knowledge of the environment. The researcher needs to act as a malicious user in order to succeed.
Black Hat Hackers
Thanks to their extensive knowledge and skills in cybersecurity, black hat hackers perform malicious attacks for personal or financial gain, cyber spying or just ‘for fun’. Their goal is to break into computer systems and networks in order to steal, modify or destroy data.
Program set up by an organization to encourage researchers to find vulnerabilities within a defined scope. Researchers are financially rewarded for the vulnerabilities they found and rated according to the quality of their submitted reports.
The term Computer Emergency Response Team refers to a group of experts that handles IT security incidents.
In software engineering, CI/CD is an agile methodology referring to the practices of both Continuous Integration and Continuous Delivery. It enables DevOps teams to deliver code changes more frequently and reliably.
The Chief Information Security Officer is an executive in charge of an organization’s information and data security.
The French Information Security Club is a non-profit association gathering information security users and professionals. Founded in 1982, the CLUSIF target is to elaborate and to pass on a set of good practices concerning information security. More information on https://clusif.fr/en/french-information-security-club.
Standing for “Commission Nationale de l’Informatique et des Libertés” in French, the CNIL is a French independent administrative authority created in 1978 to protect personal data, support innovation and preserve individual liberties. More information on https://www.cnil.fr/.
A security approach that encourages a group of cybersecurity researchers to test an organization’s assets in order to report vulnerabilities. Bug Bounty and VDP are two examples of crowdsourced security.
Cross-Site Request Forgery is a cybersecurity vulnerability that forces an end user to execute unwanted actions on an application he is authenticated in. The attack’s performer can use CSRF to transfer money or change the user’s email address, for instance.
In Capture the Flag challenges, participants must solve cybersecurity issues and/or capture and defend computer systems. This type of computer security contest is team-based and can last from a few hours to multiple days.
Coordinated Vulnerability Disclosure describes the process of collecting information from bug researchers, coordinating information sharing and revealing the existence of these weaknesses and their remediation to various actors, including the public.
Common Vulnerabilities and Exposures refers to a list of known cybersecurity threats. The database was created by MITRE, a non-profit organization supported by the Department of Homeland Security of the US. Each vulnerability has an ID and is briefly described; the aim is to help IT professionals collaborate to make computer systems more secure.
The Common Vulnerability Scoring System is a free and open industry framework to review the characteristics and severity of cybersecurity vulnerabilities. CVSS helps organizations prioritize their vulnerability management process and resources according to the level of threat.
The Common Weakness Enumeration is a list of vulnerabilities that can be found in software. This online dictionary was created by MITRE, a non-profit organization supported by the Department of Homeland Security of the US. The goal is to ease the use of tools that identify and fix bugs.
Short for development, security and operations, a DevSecOps approach means thinking about cybersecurity from the start. The objective is to make everyone as involved in security as in development and operations, so that decisions and actions for the three can be implemented at the same time.
YesWeHack DOJO is a visual exploitation environment and training platform designed to learn vulnerability exploitation in a fun and visual way. More information on https://blog.yeswehack.com/yeswerhackers/yeswehack-dojo/.
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. It was established in 2004 and strengthened by the EU Cybersecurity Act. More information on https://www.enisa.europa.eu/.
The activity of hacking for a good purpose, within a legal framework. White hats use the same techniques as malicious hackers but they use their expertise to practice penetration testing, Bug Bounty or responsible disclosure, for instance.
All or part of a program allowing the use of a software’s vulnerability or a set of vulnerabilities for malicious purposes. An exploit also allows for a PoC (Proof of Concept) which concretely demonstrates how to mobilise a vulnerability and the resulting impact on the information system concerned.
FireBounty is a non-partisan aggregator that references existing Vulnerability Disclosure Policies and Bug Bounty programs on major websites. More information on https://firebounty.com/about.
FIRST is a US-based non-profit organization created in 1990, whose mission is to bring together incident response and security teams across the world and ensure a safe internet for all. It provides platforms, means and tools for incident responders to always find the right partner and to collaborate efficiently. For instance, it owns and manages CVSS. More information on https://www.first.org.
The General Data Protection Regulation is a European legal framework providing guidelines on data protection and privacy. Since May 2018, when the law has become fully effective, all sites attracting European visitors must comply with GDPR regulation.
gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data in real time for various online services such as Google, Amazon (AWS), Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe, Twilio… More information on https://github.com/hisxo/gitGraber/.
A grey box method consists in penetrating a system with a restricted amount of information on an organization. Typically, the researcher acts as a site user or an employee with access to limited internal information.
Standing for Insecure Direct Object Reference, IDOR is a security vulnerability that arises when an application uses an identifier for direct access to an object and does not check for access control. Since 2013, it has ranked four on the OWASP Top 10 web application security risks.
Internet of Things describes the interconnection of the Internet with physical objects, places and environments – it often refers to smart or connected devices that can exchange data without the need of human intervention.
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. More information on https://www.iso.org/isoiec-27001-information-security.html.
ISO/IEC 29147 provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. More information on https://www.iso.org/standard/72311.html.
ISO/IEC 30111 provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. More information on https://www.iso.org/standard/69725.html.
The standard process of KYC, standing for Know Your Customer or Know Your Client refers to the effort professionals must do in order to verify the identity and suitability of their clients. It is mostly used by banks and financial services to evaluate the risks and protect both parts of the relationship.
The MITRE Corporation is an American non-profit organization which works for the public interest. Its areas of expertise include, among others, artificial intelligence, data science, information security and cyber resilience. More information can be found on https://www.mitre.org/.
The NIS Directive is the first piece of EU-wide cybersecurity legislation and was adopted in 2016. It provides legal measures to boost the overall level of cybersecurity in the EU. More information on https://www.enisa.europa.eu/topics/nis-directive.
Proposal for a revised NIS Directive (NIS2).
The Organisation for Economic Co-operation and Development is an intergovernmental economic organisation founded in 1961. With 37 member countries, the aim is to build better policies to stimulate economic progress and world trade. More info on http://www.oecd.org/.
Open-source intelligence refers to the exploitation of information sources accessible to everyone, such as newspapers, radio or conferences, for knowledge purposes. Even if the term is not strictly cyber, most information these days can be found in digital form. In the IT field, OSINT enables attackers to conduct effective recognition against their victims, in order to make scams more credible.
In Bug Bounty, a scope is defined, so ethical hunters are not supposed to look for vulnerabilities outside of this scope. Vulnerabilities found out-of-scope do not qualify for a reward.
In France, an Operator of Vital Importance refers to an economic operator which has a crucial importance in the running of the Nation – organizations in health, energy, transportation or military, for instance.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. More information on https://owasp.org/.
A payload refers to a piece of code that can be used to trigger a vulnerability. It is a part of the exploits in order to initiate an attack.
Pentesting consists in performing an authorized cyberattack on an IT system, network or application in order to highlight security vulnerabilities that a malicious user could exploit. This traditional approach is usually done once or twice a year for a given length of time, and results are given in a report.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that process, store or transmit credit card information. It established a set of 12 requirements in order to ensure they maintain a secure environment.
In cybersecurity, a Proof of Concept exploit refers to an attack performed only to demonstrate that it can be done. It is meant to show the harm a malicious user could cause in the software or hardware by exploiting a vulnerability.
A private Bug Bounty program is open to a small group of ethical hackers selected according to an organization’s security needs. That way, organizations can control who has access to their scopes and keep their information confidential.
A public Bug Bounty program enables the entire community of ethical hackers to look for vulnerabilities on a given scope. It provides transparency towards an organization’s clients and maximizes Bug Bounty’s effectiveness.
The Pwning-Machine is an all-in-one, customizable and extensible suite of tools to easily set up and maintain a Bug Bounty environment. More information on https://github.com/yeswehack/pwn-machine.
Red Team, Blue Team & Purple Team
In information security, the Red Team refers to the offensive team which simulates an attack whereas the Blue Team is the defensive team which reacts to the opponents. As for the Purple Team, it acts as an interface between the two other teams to find solutions after the simulated attack.
Regression testing is a testing practice performed after a code change, update or improvement in the software to ensure the existing functionality of the product was not impacted. It is applied as a final step after any modification to make sure the product works fine with bug fixes, software enhancements or configuration changes.
In Bug Bounty, a report is submitted by a hunter to detail the impact of an identified vulnerability and provide a POC for the organization to replay the vulnerability. The report may also contain a remediation to correct it.
Ethical hackers receive rewards when they find valid vulnerabilities in the defined scope of a Bug Bounty program and their report is accepted. According to a reward grid, the bigger the impact of a vulnerability is, the bigger the reward will be.
Software as a Service is an application solution hosted and operated outside an organization by a third party and accessible through an Internet access. Billing for this cloud computing service is usually based on a monthly subscription.
To launch a Bug Bounty program, a scope must be defined, meaning the organization has to provide details about: what parts of the IT system can be tested, what kind of testing is allowed and the preferred type of vulnerabilities to report. Such information is essential for the effectiveness of the program.
The Software Development Life Cycle is a process used by the software industry to create, develop and test high-quality software in a cost-effective way. Both large and small organizations can use the SDLC framework, following models such as waterfall, agile and others.
A security.txt file is a proposed standard for websites’ security. It can be included on websites as a reference file for cybersecurity researchers, containing the procedure to follow to effectively and easily report vulnerabilities to the website’s editor.
Shift-left testing is an agile cybersecurity practice intended to find and prevent weaknesses in the software development process earlier than usual. By moving the testing to the left of the life cycle, the idea is to improve the software quality.
The Security Operation Center refers to the team in charge of information security within a company. It ensures the supervision of IT systems in order to prevent cyber attacks.
SPARTA is a new Cybersecurity Competence Network supported by Europe’s Program Horizon 2020. It aims to coordinate and develop the implementation of high-level research and innovation actions to ensure digital security and strategic autonomy of the EU. More information on https://www.sparta.eu/.
SQL stands for Structured Query Language – it refers to a common injection attack that enables the execution of malicious SQL statements. The objective is to access information in a database that was not supposed to be retrieved. In some cases, a malicious user can escalate this vulnerability in order to compromise the server or the infrastructure.
The Secure Sockets Layer certificate is an electronic certificate that secures and encrypts communications between web servers and browsers.
Server-Side Request Forgery is a type of exploit that allows an attacker, from an external access, to abuse functionality on the server to read or update internal resources, by making HTTP requests to an arbitrary domain (for example: localhost or 127.0.0.1).
A Server-Side Template Injection is a type of vulnerability where an attacker is able to inject malicious input into a template framework, then executed on the server-side. The biggest impact could lead to a total control of the server by the attacker.
In a Bug Bounty program, triage refers to the process of validating vulnerabilities, from the prime submission by an ethical hacker to the handover of a clear and valid report.
A Vulnerability Disclosure Policy, also referred to as a responsible disclosure policy, describes how an organisation will handle reports of vulnerabilities submitted by ethical hackers. It is a declaration with legal value. By publishing a VDP, the organisation establishes rules that security researchers having discovered vulnerabilities in the concerned digital assets must respect. If such is the case, the organisation pledges not to take any legal action against them.
Aiming to facilitate vulnerability reporting, VDP Finder is a unique plugin for Chrome and Firefox that indicates whether visited sites have Vulnerability Disclosure Programs. More information on https://github.com/yeswehack/yeswehack_vdp_finder.
A bug, out of malice or incompetence, in the specifications, design, creation, implementation or configuration of a system, or in the way in which it is used.
The waterfall model is a classical software development process. It creates a system with linear sequential phases, when every phase has to be completed before starting the next one. No overlapping is possible, just like the cascading steps down an incremental waterfall.
A white box approach enables the researcher to access all of the system’s information and to collaborate with the tech team of an organization. Provided information can be architecture documents, administrator access, access to source code…
White Hat Hackers
Cybersecurity experts that use their knowledge and skills for the greater good. Also referred to as “ethical hackers”, they only hack in legal frameworks to make the Internet a safer place or to ensure organizations’ security, when they are paid to do so (through penetration testing, vulnerability assessments or Bug Bounty, for instance).
YesWeHack EDU is the world’s first Bug Bounty educational platform dedicated to cybersecurity training. More information on https://blog.yeswehack.com/talent-development/yeswehack-edu-the-worlds-first-bug-bounty-educational-platform/.
A zero-day (also known as 0-day) is a computer-software vulnerability unknown to those who should be interested in its mitigation (including the vendor of the target software). Until the vulnerability is mitigated, malicious hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.
ZeroDisclo.com is a non-partisan, non-profit platform for reporting vulnerabilities while preserving the anonymity of those who discover them. More information on https://blog.yeswehack.com/vulnerability-coordination/zerodisclo-com-vulnerability-disclosure-done-right/.