Plain English instead of bewildering jargon.
Glossary

We have listed the main terms used in connection with security for you here. If you have any questions, don't hesitate to contact us and arrange a face-to-face discussion.

Applikationssicherheit

Applikationssicherheit: Berücksichtigung zahlreicher Schlüsselfaktoren führt zum Erfolg

Die Zukunft ist digital: Kaum ein Unternehmen kommt mehr ohne leistungsfähige IT-Infrastruktur und die Bereitstellung leistungsfähiger Applikationen aus. Die alleinige Bereitstellung leistungsfähiger Komponenten reicht jedoch nicht mehr aus. Besonders die Applikationssicherheit stellt eine Herausforderung dar, der sich Unternehmen stellen müssen. Gerade kleine und mittlere Unternehmen haben jedoch fast nie die finanziellen und personellen Ressourcen, um im Alleingang für Applikationssicherheit zu sorgen. Nicht umsonst unterhalten viele Großkonzerne riesige IT-Abteilungen, die eine zufriedenstellende Bearbeitung von Fragestellungen rund um die Applikationssicherheit gewährleisten sollen. Die Sicherstellung von Applikationssicherheit ist also nicht nur erfolgskritisch, sondern auch ein nicht zu unterschätzender Kostenfaktor.

Für uns gehört die Sicherstellung von Applikationssicherheit in Verbindung mit unserer Airlock Suite oder der Airlock Cloud zu einer unserer Kernkompetenzen. Für unsere Kunden bedeutet dies, dass sie sich wiederum auf ihre Kernkompetenzen konzentrieren können, ohne Abstriche in Sachen Applikations- und IT-Sicherheit machen zu müssen. Durch die häufig langjährige Zusammenarbeit mit unseren Kunden ist es möglich, Applikationssicherheit für Unternehmen aus den unterschiedlichsten Bereichen kosteneffizient sicherzustellen. 

cIAM

Consumer or customer IAM is an Identy and Access Managmenet (IAM) system, which is directed to the outside of the organisation. It differs a lot from a classical workforce IAM solution and can be scalled to millions of users with high flexibility and performance. It offers single sign-on oder user self-services to the user.  

Compliance

Compliance Standards erlauben klare Regelstrukturen auch in großen Unternehmen

Compliance hat in immer mehr Unternehmen einen besonderen Stellenwert, denn arbeitet ein Unternehmen nicht revisionssicher und sensibilisiert Mitarbeiter hinsichtlich der geltenden Compliance Kodizes, so bedeutet dies im Ernstfall das Aus. Grundsätzlich lässt sich die Compliance in zwei Bereiche unterteilen. Zum einen gilt es, geltende Gesetze auf nationaler und internationaler Ebene umfassend zu berücksichtigen und zum anderen gilt es, Mitarbeiter auch darüber hinaus zu sensibilisieren was gemeinhin als moralisch vertretbar angesehen wird. Da die Compliance mit den Jahren deutlich komplexer geworden ist, ist es für Unternehmen aber auch immer schwieriger geworden, sicherzustellen, dass etwa Compliance Standards auch vollumfänglich eingehalten werden. Hilfreiche Unterstützung bei der Einhaltung von Compliance Standards bieten die Lösungen der Airlock Suite.

Cookie protection

A dynamic whitelist filtering method that protects users of a web application against unauthorized access to cookie content and also protects the application itself against modification of cookie content. The application's cookies are stored in the web application firewall (WAF) in what is known as a cookie store; by default, they never reach the client. However, it is possible to transfer dynamically encrypted cookies to the client. This encryption prevents manipulation of the cookies.

Cross-site Request Forgery (CSRF)

An attack that forces victims to execute unintended actions in a web application where they are already logged in. An attacker can use social engineering (e.g. by sending a link via email or chat) to make the user of a web application perform actions unwittingly according to the attacker's plan.

DevSecOps

DevSecOps beschreibt die Denkweise, Sicherheit in die Entwicklung und den Betriebslebenszyklus zu integrieren: dem Development kann DevSecOps helfen, Ziele effizienter zu erreichen und der Unternehmensleitung hilft es bei der Erfüllung der Anforderung einer angemessenen, effizienten Organisation. Das Schlagwort vermittelt bildlich, dass für eine sichere Applikationsentwicklung und einen sicheren Betrieb im Bereich der Cybersicherheit eine überzeugte DevSecOps-Denkweise nötig ist.

Weiterlesen

Forced browsing

An attack in which the attacker attempts to access resources which are not referenced by the web application under attack, but can nevertheless be called up externally. This is done by using variations of the URL that is used by the application and is transmitted to the client.

ICAP

A protocol for communication between proxy servers and their add-on services. This protocol is related to HTTP and is especially suitable for filtering and modifying the data transmitted by the reverse proxy. Virus scanners are typically connected to web application firewalls via ICAP (Internet Content Adaption Protocol). External filters and other WAF add-on services are typically based on ICAP.

IDM

Identiy Mangement means in the digital world that an identity has to proof its identity and get autorised before it can access an application, platform or service.

Medusa

Airlock IAM was called Medusa before it became part of the Airlock Suite. The products Airlock and Medusa got new names Airlock WAF and Airlock IAM within the launch of the Airlock Suite beginnning 2015.

Multi-level filtering

Filtering of requests to a web application across several levels, to maximise the security and user-friendliness of the protected web application. Airlock allows filtering across six levels:

  1. Blacklist filtering
  2. Static whitelist filtering
  3. Dynamic whitelist filtering
  4. Filtering of structured data (XML (Extensible Markup Language), SOAP (Simple Object Access Protocol), AMF (Action Message Format))
  5. Malware filtering (ICAP)
  6. Application-specific filtering
Path traversal

An attack that aims to access files and directories outside of the main web (root) directory. Similarly to a forced browsing attack, the attacker uses variations on the application's URL together with one or more instances of the „../“ sequence to access arbitrary paths on the web server.

Session hijacking

An attack in which the attacker impersonates another user of a web application after exploiting weaknesses in the application's session control mechanism. The attacker gains access to a session token by stealing a valid token from a valid user or by fabricating a valid token.

Smart form protection

A dynamic whitelist filtering method that protects forms against modification. When smart form protection is enabled, unnoticed changes to drop-down menus, hidden fields and other defined form attributes on the client side are no longer possible. Moreover, the server is protected against infiltration of unwanted additional form fields.

SQL injection

An attack in which SQL database queries are passed on to the application ("injected") via the input fields of a web application and are then executed through a weak point in the application. Queries of this sort may disclose confidential information or manipulate the data in the database.

Structured data (XML, SOAP, AMF, JSON)

The content of traffic between a web browser and a web server consists mainly of HTML files supplemented with images, style sheets and JavaScript files. By contrast, web-based traffic between two servers, between a mobile app and a server or between a JavaScript application running in the browser and the server is typically based on structured data: data whose structure corresponds to a defined scheme and is designed for efficient machine-to-machine communication. This allows a protective instance such as the web application firewall to check the data for suspicious content and also to ensure that the form in which the data is transmitted corresponds to the agreed structure. This validation can play a key part in discovering and neutralizing attacks on a web service.

Examples of structured data types include XML, SOAP (web service calls based on XML), AMF and JSON (Java Script Object Notation).

Virtual Patching

Virtual Patching ist ein komplexes Thema, welches kaum ohne zahlreiche Fachbegriffe erklärt und ohne Hintergrundwissen verstanden werden kann. Ganz stark vereinfacht folgt das Virtual Patching dem Gedanken „secure now, fix later“. Dies bedeutet so viel, dass Schwachstellen schnellstmöglich überwacht und abgesichert werden und ein offizielles Update zur Schließung abgewartet werden kann, ohne dass ein Unternehmen Gefahr läuft, Schäden davon zu tragen. Airlock verfolgt dabei einen Reverse Proxy Ansatz mit Multi-Level Filterung und dynamischer Whitelist-Filterung.

WAF

Eine Web Application Firewall (WAF) schützt Webanwendungen vor Angriffen über das Hyper Tranfer Protocoll (HTTP). Die typischen Angriffsvektoren für Web Applikationen werden in den OWASP Top 10 beschrieben und umfassen Injection Angriffe (SQL, Command, LDAP, Skript oder XPath Injections), Cross Site Scripting (XSS), Hidden Filed Tampering, Parameter Tampering, Cookie Poisoning, Forceful Browsing oder Puffer Overflows. Eine WAF bietet gegen diese Angriffe einen vorgelagerten Schutz. 

Workforce IAM

Workforce IAM solutions are directed to the inside of an organisation. Tehy fullfill typical needs necessary for amployee manamgent like i.e. Approval Workflows, access certification, or policy and role managment. Workforce IAM solutions are not build to hndle very large account noumbers.

BYOI

Bring you own Identity is a simple digital authentication where the user identity is administrated by a third party.

Cloud

Could Computing means executing applications which are not installed in the local IT infrastructure. In the Cloud IT Infrastrukur is made available over the internet.

Diverences:

  • Public Cloud (Access to IT infrastructure for the public)
  • Private Cloud (Access to IT infrastructure within an organisation)
  • Hybrid Cloud (Access to mixed IT infrastructure of private and public cloud)
Content rewriting

A way of protecting against inadvertent outbound information flows: error and status messages that provide hackers with important information for further attacks are filtered out and converted into neutral messages. This functionality also allows masking of sensitive data such as credit card numbers to prevent them from being displayed in an application by mistake.

Cookie Tampering

Cookies are files on a user's computer which allow a web application to store information that is subsequently used to identify returning users. Actions by a user or user-specific settings for an application are also stored in cookies. Cookie tampering can be used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker.

Cross-site scripting (XSS)

A type of attack in which the attacker injects malicious scripts into an otherwise harmless and trusted website. Other visitors to the website unknowingly execute these scripts, making themselves vulnerable to further attacks such as identity theft.

Dynamic whitelist filtering

A series of whitelist filtering measures that are generated during the application's runtime, so they are continuously adapted to circumstances. In Airlock, dynamic whitelist filtering is implemented by means of URL encryption, smart form protection, cookie protection and upstream authentication.

IAM

Identity and Access Management solutions help to manage digital identites and their rules and roles to access applications and services.

IDaaS

Identity as a Service is a cloud-based authentication infrastructure built, administrated and hosted by a managed security or service provider.

Load balancing

Distribution of loads among several systems of the same type. A web application firewall can perform this task: an application runs simultaneously on several servers and the WAF (as a reverse proxy) can distribute incoming requests among these servers. So-called health checks are performed continuously to determine which servers are available. Asymmetrical load balancing is also possible.

Mobile Security

Mobile Security gewinnt immer mehr an Bedeutung. Daten und Applikationen müssen von überall zu jederzeit erreichbar sein und müssen auch auf mobilen Endgeräten jederzeit geschützt werden.Mobile Security ist ein vielschichtiges Thema geworden.

OWASP

The Open Web Application Security Project (OWASP) is a non-profit organisation with the goal to make web applikations and services more secure. The OWASP community releases the OWASP Top 10 security issues for web applications and Services.

Reverse Proxy

A proxy server that obtains data from one or more servers on behalf of a client. This data is then sent to the client as if it originated directly from the reverse proxy itself. Reverse proxies are used to implement the typical functionalities of a web application firewall: SSL termination, upstream authentication, multi-level filtering and load balancing.

Single Sign-on

In Zeiten, in denen der Schrei nach starker Authentifizierung für jeden Account immer lauter wird, ist es wichtig auch die Benutzerfreundlichkeit hoch zu halten. Single Sign-on ist eine Möglichkeit, den Benutzer zumindest nur einmal mit dem aufwendigeren Authentisierungsprozess zu konfrontieren. Single Sign-on und Identity Federation werden zum Must-Have will man vermeiden, dass Benutzer die komplexeren Prozesse umgehen.

Social Login

Das Prinzip des Social Logins basiert in erster Linie darauf, die zum Erstellen eines Accounts benötigten Daten nur einmalig einzugeben und anschließend von einem Account aus zu nutzen. Hierzu werden dann auf weiteren Websites und in weiteren Applikationen lediglich die Login-Daten dieses einen, zentralen Accounts genutzt. Weiterführend ist häufig nach der einmaligen Registrierung mit dem zentralen Account keine weitere Eingabe von zusätzlichen Passwörtern nötig, sofern der Social Login Account auch eingeloggt ist.

SSL termination

Data that requires protection is usually transmitted between browser and server in encrypted form, and the HTTPS protocol is used for this purpose. It is based on the SSL encryption method. The data is only readable by the two end points of an HTTPS connection; intermediaries in the transmission cannot "see" the transmitted information at all. Nevertheless, this encrypted data could itself represent an attack, so it is essential for a protective instance such as a web application firewall to terminate the SSL protocol. This gives it access to the data transmitted from the browser, so attacks can be detected and warded off in this way. Safe transmissions are re-encrypted as necessary and forwarded to the server.

URL encryption

A dynamic whitelist filtering method to prevent "forceful browsing": the application's web addresses are forwarded to the client in encrypted form. This prevents an attacker from gaining access to inadequately protected parts of the application by modifying the address. Likewise, the topology of the application and the technology used (such as PHP) are hidden.

Upstream authentication

A dynamic whitelist filtering method that protects web applications against unauthorized access. Before a query is forwarded from a user to an application, upstream authentication ensures that the user does actually have access authorization. This completely excludes the greatest risk of all for web applications – attacks by unknown perpetrators. When authentication is delegated to this upstream instance (such as a web application firewall), it also becomes very easy to implement single sign-on scenarios across multiple web applications.

WAM

Web access management (WAM) is sort of an identity management that controls access to web applications and services providing authentication, policy-based authorizations (rules, roles, riskbased) as well as single sign-on and user self-services for higher user convenience.

200 OK

«200 OK» is the status code of a successfully processed HTTP request. HTTP is the standard protocol for delivering website content from webservers to browsers.