Glossary

Learn more about the language of software security.

If you don’t see a term defined on this page, refer to one of the governmental or industry standards cited in the References.

The definitions included in this page may vary from the cited standards, based on how we configure and use Cobalt software.

Aggregated Risk

Aggregated Risk is the sum of the risks of individual findings discovered in a pentest.

The risk of an individual finding is the likelihood multiplied by the impact (Risk = Likelihood * Impact).

Allowlist

An allowlist explicitly lets identified systems access. In networks, an allowlist can specify IP addresses. You can typically find allowlists and denylists in files like /etc/hosts.allow and /etc/hosts.deny.

API Endpoint

An endpoint is typically a URL used to allow two software applications to communicate with each other. For example, https://api.cobalt.io/orgs is one endpoint that you can find at https://api.cobalt.io.

When scoping a pentest for an API asset, ignore specific parameters and HTTP methods for each endpoint. For example, these are two different HTTP requests for the same endpoint:

  • GET https://api.cobalt.io/pentests
  • POST https://api.cobalt.io/pentests

Some RESTful API endpoints include additional information that may make them seem different. For example, the following two URLs are in fact the same endpoint, as the content after the ampersand (&) describes an action on data sent from that URL:

  • example.com/endpoint1&_prettyPrint=true
  • example.com/endpoint1&_prettyPrint=false

GraphQL operates on a single API endpoint. Functionally, GraphQL queries and mutations are similar to RESTful GET, POST, PUT, and other commands.

API Scope

See API Endpoint for how we look at RESTful and GraphQL APIs. To scope our work, when we need information about your API, we need numbers for either:

Asset

For pentests, an asset is a software component of value, such as a web application or API. Cobalt can perform pentests on assets in the following categories:

  • Web apps
  • External networks
  • Internal networks
  • Mobile apps
  • APIs
  • Cloud configuration (AWS, Azure, GCP)

Asset Tag

An asset tag is customer-defined metadata associated with a Cobalt asset.

Learn how to use asset tags.

Application Security (AppSec)

Application security is the practice of using security software, hardware, techniques, best practices, and procedures to protect computer applications from external security threats. Source: TechTarget.

Application Security Verification Standard (ASVS)

The OWASP Application Security Verification Standard (ASVS) relates to pentests of web application technical security controls.

Attacker

Sometimes also known as a threat actor, malicious hacker, “black hat hacker,” or “cracker.” May be an individual, a group, or even a nation-state. Specified as “attacker” in Cobalt pentest reports.

Attestation Letter

A one-page report suitable for external stakeholders. Includes the following:

  • Executive Summary
  • An overall findings summary table

Learn more about pentest reports.

Attestation Report

A report similar to Customer Letter, with additional details:

  • Pentester user information
  • An overall list of findings

Learn more about pentest reports.

Automated Report

A system-generated report for an Agile Pentest intended for internal use. Includes the following sections:

  • Pentester user information
  • Executive Summary
  • Methodology
  • Post-Test Remediation
  • Finding Details

You can’t customize an Automated Report. Learn more about pentest reports.

Black-Box Testing

Where the pentester has no knowledge of the internal details of the asset. Contrast with gray-box and white-box testing.

Also known as “opaque-box testing.”

Center for Internet Security (CIS)

The Center for Internet Security is an independent nonprofit organization which develops and refines best practice security solutions.

One of the test criteria used by our pentesters is CIS Controls v8, released in 2021.

Cobalt Average

Cobalt Average for a given year is the average of the Aggregated Risk of all pentests conducted across all customers in that year.

Learn more about the Insights page and using this metric to analyze your assets.

Common Platform Enumeration (CPE)

As defined by NIST, Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. The official CPE Dictionary is hosted and maintained by NIST.

Compliance Audit

As defined by NIST, a comprehensive review of an organization’s adherence to governing documents such as whether:

  • A Certification Practice Statement satisfies the requirements of a Certificate Policy
  • An organization adheres to its Certification Practice Statement

Customer Letter

An executive summary of the pentest. May be used as a certificate of completion. Great for external stakeholders. Includes:

  • Executive Summary
  • Methodology

Learn more about pentest reports.

Digital Risk Assessment

A systematic process for identifying, analyzing, and prioritizing potential threats and vulnerabilities from an attacker’s perspective within an organization’s digital ecosystem.

Dynamic Web Page

A web page with dynamic content that a user can interact with. The content can be built on the server or the client side. Contrast with Static Web Pages.

Environment

In the context of a Cobalt pentest, you can specify one of three options for an environment:

  • Production (for end users)
  • Staging (proposed future production environment)
  • Development (asset in work)

Finding

A finding is a vulnerability that a pentester reports during a pentest. We include findings in vulnerability reports, as something that a threat actor can exploit.

When you select Full Report + Finding Details, we add a detailed list of findings to your report, which includes:

  • Vulnerability Type
  • Description
  • Affected URLs
  • Proof of Concept of the vulnerability
  • Severity
  • Suggested Fix

Full Report

A report that contains comprehensive information about the pentest. Includes the following sections:

  • Pentester user information
  • Executive Summary, with an overall list of findings
  • Scope of Work
  • Methodology
  • Summary of Findings
  • Recommendations
  • Post-Test Remediation

Learn more about pentest reports.

Full Report + Finding Details

A report that adds details of every test finding to the Full Report. Learn more about pentest reports.

GraphQL API

Per https://graphql.org, GraphQL is a query language for your API. A GraphQL API is designed with a single endpoint.

For pentests of a GraphQL API, Cobalt needs the number of queries and mutations that you’ve configured. Also see API Endpoint.

GraphQL Queries and Mutations

For more information, see https://graphql.org/learn/queries/

Gray-Box Testing

Where the pentester has limited knowledge of the internal details of the asset. Contrast with white-box and black-box testing.

Also known as “translucent-box testing.”

Graylisting

Graylisting is a method of protecting email users from spam. A Mail Transfer Agent (MTA) using graylisting temporarily rejects emails from senders that they don’t recognize. The originating server tries to resend the email after a delay. If the email is legitimate, the MTA accepts it.

In-House Pentest

An In-House Pentest is a pentest that an organization performs on the Cobalt platform without involving Cobalt pentesters. You can launch In-House Pentests using the Pentest Management Platform (PMP).

Jump Box

Also known as a jump host or a jump server, a jump box is a system (typically) on an internal network or a DMZ. Jump boxes are used to access and manage devices in a separate security zone.

Where the pentester has limited knowledge of the internal details of the asset. Contrast with white-box and black-box testing.

Known Vulnerability

A “well-known” security vulnerability. Documented in a security bulletin or a CVE (Common Vulnerabilities and Exposures) from MITRE.

In Cobalt pentest reports, you may see this as a published or documented vulnerability.

Mitigate

To apply preventative measures. Based on problems identified by a pentest or incident report. Examples:

  • Install security updates on potentially affected servers
  • Review and update a codebase for issues identified on specific files

Contrast with remediate. This reflects how we use mitigate at Cobalt, and differs slightly from the NIST definition of mitigate.

Mobile Screen

A mobile screen is what you see on a mobile device, such as an iPhone or an Android system. As described by Codepath, mobile screens fall into several archetypes.

You may have multiple screens of an archetype. For example, you may have 10 mobile screens for the onboarding archetype.

For pentests of a mobile asset, we need the number of screens that you have, for each operating system that you support.

Multi-factor Authentication

Authentication which uses two or more different factors, which may include:

  • Something you know, such as a password or a PIN number
  • Something you have, such as an identity token
  • Something you are, which works with biometric authentication

Open Web Application Security Project (OWASP)

OWASP is a nonprofit foundation with “Top 10” security issues for different asset types, including Web apps, APIs, and Cloud systems.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM tests the operational security of physical locations, human interactions, and all communications on the network, whether they be wireless, wired, analog, or digital.

Operations Security (OpSec)

Operations Security, commonly known as OpSec, identifies critical information, and if/how it may be used by opponents or enemies. OpSec measures can reduce security risks.

Pentest

Short for penetration test. As described in the Getting Started Guide, you can draft a pentest. Once you submit it for review, Cobalt reviews your pentest and assigns pentesters who then test the asset specified in your pentest.

Pentest as a Service (PtaaS)

Combines manual and human testing with a modern delivery platform to deploy penetration testing programs.

Pentest Report

A summary of all vulnerability reports, including observations on positive security measures. Target audiences: executives, security engineers, and developers. Includes:

  • Executive Summary

    • Describes the tests performed with criteria.
  • Executive Analysis

    • Includes a high-level summary of vulnerabilities.
  • Scope of Work

    The scope of work for a pentest includes:

    • Target description
    • Environment
    • In-scope Testing Methodologies
    • Assumptions and Constraints
    • Test Methodologies
    • Web app-specific issues (endpoints, fuzzing)
    • Secure test cases
  • Summary of Findings

    • Trends and critical issues
    • Auto-generated graphs
  • Summary of Recommendations

    • Highlights of the work we recommend to remediate findings
  • Post-Test Remediation

    • List of details with type, severity, state, and resolution
  • Finding Details

    • More information on each finding

Within Cobalt, this is also known as a Report or a Final Report. For more information, see Pentest Reports.

Pentest Tag

Pentest identifier on the Cobalt platform that starts with #. You can see the tag on the pentest page under the title.

Pentest tag

Projects (Cloud Assets)

All resources included in your cloud asset. For example, AWS defines a project as a collection of resources associated with an asset.

PtaaS Pentest

A pentest that Cobalt pentesters perform on the Cobalt Pentest as a Service (PtaaS) platform for a customer. This includes the following pentest types:

Contrast with In-House Pentest that a customer runs on the Cobalt Pentest Management Platform (PMP) with their In-House Pentesters.

Agile Pentest

An Agile Pentest performed by Cobalt pentesters focuses on code changes or a specific area of an asset and comes with an Automated Report intended for internal use. Learn more about the pentest types.

You may want an Agile Pentest for:

  • Recent code changes, such as after a sprint or before a release
  • Specific subsets of your asset, such as:
    • A single feature such as a new RESTful API endpoint
    • One microservice
  • You can also use an Agile Pentest to test:

Comprehensive Pentest

A Comprehensive Pentest is performed by Cobalt pentesters for security audit, compliance audit, or customer attestation and includes comprehensive reports intended for external stakeholders. Learn more about Comprehensive Pentests.

You may want a Comprehensive Pentest for:

  • A comprehensive security audit of your software
  • Broad subsets of your asset, such as:
    • API with all the endpoints that it includes
    • All microservices
  • A compliance audit based on a specific framework, such as SOC 2
  • All categories from the OWASP Top 10 list
  • M&A due diligence, to identify and eliminate possible risks for all parties involved
  • A specific customer of third-party attestation request

Pentest Report

A summary of all vulnerability reports, including observations on positive security measures. Target audiences: executives, security engineers, and developers. Includes:

  • Executive Summary

    • Describes the tests performed with criteria.
  • Executive Analysis

    • Includes a high-level summary of vulnerabilities.
  • Scope of Work

    The scope of work for a pentest includes:

    • Target description
    • Environment
    • In-scope Testing Methodologies
    • Assumptions and Constraints
    • Test Methodologies
    • Web app-specific issues (endpoints, fuzzing)
    • Secure test cases
  • Summary of Findings

    • Trends and critical issues
    • Auto-generated graphs
  • Summary of Recommendations

    • Highlights of the work we recommend to remediate findings
  • Post-Test Remediation

    • List of details with type, severity, state, and resolution
  • Finding Details

    • More information on each finding

Within Cobalt, this is also known as a Report or a Final Report. For more information, see Pentest Reports.

Point of Contact

A user assigned as the point of contact on a pentest may be contacted by Cobalt Staff members with questions regarding the pentest.

Learn more about assigning a point of contact.

Projects (Cloud Assets)

All resources included in your cloud asset. For example, AWS defines a project as a collection of resources associated with an asset.

Recovery Code

A recovery option, with 2FA enabled, to regain entry into your account if you lose access to your device and/or authenticator app.

Remediate

To fix a vulnerability identified by a pentest or incident report. Examples:

  • Install a security update on an affected server
  • Update directly affected code

Contrast with mitigate. This reflects how we use remediate at Cobalt, and differs slightly from the NIST definition of remediation.

Resource Group (Cloud)

A set of resources in a cloud asset. For more information, see Google GCP documentation.

RESTful API

Per TechTarget, “A RESTful API is an architectural style for an application program interface (API) that uses HTTP requests to access and use data.” Also see API Endpoint.

Route (Software)

As defined by Manning, in software, it’s a system for resource navigation. If you’re working in the browser, you might be familiar with routing as it relates to:

  • URLs
  • Resources, such as paths to images and scripts, functions, and so on

If you’re working on the server, matching incoming request paths to resources from a database.

SAML Single Sign-on (SSO)

Single sign-on (SSO) is an authentication method that allows users to access multiple independent systems with a single set of credentials.

SSO based on the SAML 2.0 protocol works by passing authentication data in the form of digitally signed XML files (assertions) between two systems: a service provider (SP) and an identity provider (IdP).

  • A service provider requests authentication assertions from the identity provider.
  • An identity provider sends authentication assertions to the service provider once the user’s identity is confirmed.

Depending on where the authentication workflow starts, SAML SSO can be of the following types:

SAML SSO provides a secure experience because user credentials are never transmitted during authentication.

SP-Initiated SSO

In the service provider-initiated (SP-initiated) SAML SSO, the authentication workflow starts on the service provider side.

  • When a user signs in to the service provider system, the service provider sends an authentication request to the identity provider.
  • Once the IdP has authenticated the user’s identity, the user is signed in to the service provider system.

IdP-Initiated SSO

In the identity provider-initiated (IdP-initiated) SAML SSO, the authentication workflow starts on the identity provider side.

  • First, a user signs in to the identity provider system, such as Okta, OneLogin, or Microsoft Azure AD.
  • The user selects the app configured for their service provider in the IdP system or follows a unique URL.
  • The service provider requests the IdP to authenticate the user.
  • Once the user’s identity is authenticated on the IdP side, the user is signed in to the service provider system.

Secure Code Review

A Secure Code Review is the human-led examination of software’s source code in order to identify security vulnerabilities that are the result of design flaws, but proven to be valid security issues. It is an important part of any organization’s software development life cycle (SDLC) and helps improve the overall quality and security of the software and an organization’s overall security posture.

Security Assertion Markup Language

As defined by the Organization for the Advancement of Structured Information Standards (OASIS), the Security Assertion Markup Language (SAML) SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information.

Security Audit

As defined by NIST, an independent review and examination of a system’s records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.

Sender Policy Framework

Sender Policy Framework (SPF) is an email authentication method.

An SPF record is a type of record that a domain owner uses to specify which mail servers are authorized to send email on behalf of their domain.

SANS Institute

Original sponsor of a set of standards for testing networks. SANS stands for SysAdmin, Audit, Network, and Security. The SANS Top 20 has been migrated to CIS Controls Version 8.

Scope of Work

Cobalt may refer to this as the “scope” of your pentest. The scope of work for a pentest includes:

  • Target description
  • Environment
  • In-scope Testing Methodologies
  • Assumptions and Constraints
  • Test Methodologies
  • Web app-specific issues (endpoints, fuzzing)
  • Secure test cases

Single-Page Application

For more information, see https://developer.mozilla.org/en-US/docs/Glossary/SPA

Contrast with Traditional Web Application.

Specialized Pentest

A Specialized pentest that you see in the Cobalt UI is an engagement conducted by the Cobalt Cybersecurity Services team.

Learn more about Cybersecurity Services.

Static Web Page

A web page with static content that doesn’t change depending on the user or location. Contrast with Dynamic Web Pages.

Traditional Web Application

A web application that consists of a web browser on the client side and a web server. Most of the application logic is performed on the server side.

May also be referred to as multi-page application (MPA). Contrast with Single-Page Application.

User Role

A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest.

When scoping a pentest, specify the number of roles that you want to test.

Vulnerability

A security issue discovered during a pentest. Also a specific weakness which can be exploited by a threat actor, such as an attacker who crosses privilege boundaries (and performs unauthorized actions) within a computer system.

Contrast with Known Vulnerability. A vulnerability may be part of a finding.

Vulnerability Management

The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. At Cobalt, we focus on manual pentests (enhanced with automated tools). Also see Vulnerability Assessment and Management, as defined by the US Cybersecurity and Infrastructure Agency (CISA).

Vulnerability Report (Manual)

A document that provides information about one specific finding. Cobalt vulnerability reports are based on manual tests. Such reports include:

  • Step-by-step notes on how the tester identified each vulnerability (when possible)
  • Locations, such as files or hardware
  • Recommendations to remediate

Vulnerability Report (Automated)

A document created by an automated scanning tool. Primarily used to list known vulnerabilities associated with specific code patterns.

Vulnerability Type

How Cobalt classifies the vulnerability. Examples include:

  • Client Side Injection
  • Server Security Misconfiguration > Lack of Password Confirmation
  • Broken Authentication and Session Management

Web Page

A hypertext document on the web. Web applications typically include static and dynamic web pages.

  • A Static Web Page contains stable content that appears the same for every user who opens the page.
  • A Dynamic Web Page includes content that can be customized, either through an application server (server-side) or through code such as JavaScript running in the browser (client-side).

White-Box Testing

Where the pentester has full knowledge of the internal details of the asset. Contrast with black-box and gray-box testing.

Also known as “clear-box testing.”

References

Last modified December 18, 2024