Web Security Terminology

When discussing security or especially at the security of a web application, then we usually will be met a lot with terms that sometimes confuse us. Therefore it is good for us to first understand the meaning of these terms.

1. Risk. Risk is the possibility of loss as a result of danger or threat. In this context, we mean the loss of confidentiality, availability, or integrity as the result of an IT security threat. Risks are typically rated as high, medium, and low severity.
2. Relative risk. Relative risk refers to risk severities in comparison to one another, in a specific environment. For instance, the risk prior to addressing a threat will be higher than after addressing the threat. Risks associated with two separate threats are another more meaningful example. Or the results of one type of threat may pose a greater risk than those of another type of threat. When performing a risk analysis, it is useful to allocate values to risk. A person creating a risk analysis will want to use comparative values for various risks in order.
3. Temporal risk. A temporal risk is one that changes over time due to changes in the security environment and is not necessarily directly related to any change to a particular vulnerability.
   For instance, if a patch to the affected software that removes vulnerability is made available to Internet users, the risk severity decreases as soon as that patch is successfully implemented. Temporal risk is defined for clarity.
4. Threat. A threat is a danger posed to a web application. There are several sources of threats, such as malware, hackers, cybercriminals, and others with malintent.
5. Vulnerability. A vulnerability is a weakness that is subject to compromise by a threat. For instance, an unlocked door poses the vulnerability of a thief opening the door, but only if it is unlocked. If the door is locked, there is no vulnerability for the thief, who is a high-risk threat if the door is unlocked but a very-low-risk threat if the door is, in fact, locked.
6. Breach. A security breach is a threat that takes active advantage of a weakness or vulnerability and may compromise the application. In the example just given, a thief actively opening the unlocked door is an act of compromise. A breach is more associated with vulnerabilities.
7. Compromise: A compromise is a synonym for a breach except the term is more associated with risk. I use breach and compromise interchangeably.
8. Mitigation: A mitigation is a repair or protection made as a defense against a threat. Mitigation either repairs vulnerability or reduces its seriousness in order to make the vulnerability less susceptible to compromise by a threat. Risk is reduced by mitigation. As a physical analogy for a logical security problem, we can use the example of an unlocked door to a building. Mitigation for the unlocked door may have three components: locking the door immediately, making a policy that everyone who opens the door must, subsequently, leave it locked, making a policy that once per day a designated person checks that the door is locked, always at different times.
9. Countermeasure: A countermeasure is often used instead of mitigation when the vulnerability simply cannot be removed and a workaround is required. An example is where there are known code vulnerabilities within a web application but the code cannot be modified for valid business reasons. A countermeasure to these vulnerabilities could be a web application firewall.
10. Residual risk: Residual risk is the risk that still remains after mitigation. This may sound unclear at first, as one assumes mitigation reduces risk to zero. However, in a situation with high-risk vulnerability, there may be reasons why the risk can only be reduced but not completely eliminated. In the analogy of the unlocked door, for example, if the locked door policy.

In the next article, we will discuss Risk Calculation Models so we will know how our system security level.