In recent years, the Internet has experienced a huge increase in electronic commerce (e-commerce). This increase in monetization of information in the cloud means that attackers can now be rewarded financially, socially, and even politically for a successful attack. There is a low risk in attempting these attacks, since there is a small chance of getting captured and therefore, of prosecution. With a more motivated enemy, companies and enterprises have to improve their security measures to face these new threats. They must identify the threats and defend the vulnerabilities that may affect the data that has a big impact on their business.
In order to understand the content of this book completely, you will first need to understand some basic concepts about software security:
Access control: This ensures selective access to resources by users that are entitled to it.
Asymmetric cryptography: This is also known as the public key cryptography and uses algorithms that employ a pair of keys—one public and one private. A public key is used to encrypt the data while a private key is used to decrypt data.
Authentication: This is a process through which we can confirm the identity of a user.
Authorization: This is a process through which we give someone permission to do or have something.
Availability: This means that the system and data are available to authorized users when they may make use of it.
Brute force: This is a very basic and nonoptimal cryptanalysis technique that tries every possibility to crack a key or a password.
Cipher: This is a cryptographic algorithm that may be used for encryption and decryption.
Code injection: This is an attack where the code is inserted into application queries. This kind of attack is commonly used to alter databases via SQL injections.
Confidentiality: This specifies that the data is only available for users who have permission to access it.
Crack: This is the process through which an attacker attempts to gain access to a machine, network, or software.
Decryption: This is the process through which an encrypted message is transformed into its original state.
Denial-of-service (DoS): This is a type of attack that makes an online resource unavailable for a fixed amount of time.
Distributed denial-of-service (DDoS): This type of attack is similar to the DoS attack, but it is perpetrated from several machines and is generally more effective than a DoS attack.
Dictionary attack: This is a basic cryptanalysis technique that uses all the words in a dictionary when trying to crack a key or password.
Encryption: This is a process through which a plain piece of data is transformed into an encrypted state, with the objective of concealing this information in order to prevent access from unwanted sources.
Hash function: This is a type of algorithm that maps data of different sizes into data of a fixed size.
Hijack attack: This is a form of attack in which an already established communication is seized and acts as one of the original participants.
Hypertext Transfer Protocol Secure (HTTPS): This is an application level protocol based on HTTP that allows a secure transfer of sensitive information in the form of hypertext.
Integrity: This means that the information is accurate and is not changed accidentally or deliberately.
Man-in-the-middle attack: This is a type of attack where the attacker assumes a position in the middle of a communication, intercepts and reads the messages of a communication, and lets the victims believe that they are directly connected to each other.
Password: This is a string of characters used for authentication.
Phishing: This is an attack attempt that appears to be from a reliable source and tricks the user into entering their authentication credentials in a different domain or application.
Risk: This is the likelihood of an attack happening and succeeding.
Sniffing attack: This is an attack that analyses the packets exchanged in a network in order to extract useful information from them.
Spoofing attack: This is an attack where an unauthorized entity gains access to a system with the credentials of an authorized user.
Symmetric cryptography: This is a type of cryptography that uses the same key for encryption and decryption, and therefore, every entity shares the same key.
Threat: This is a circumstance that could breach security and cause harm to the system.
Vulnerability: This is a weakness that allows for a threat to occur.