Software libraries, frameworks, packages, and other components, and their dependencies (third-party code that each component uses) that have inherent security weaknesses, either through newly discovered vulnerabilities or because newer versions have superseded the deployed version. 

Audio reference Link: "The Panama Papers: A Closer Look," Late Night with Seth Meyers, YouTube, 12 April 2016

Learn more about your ad choices. Visit megaphone.fm/adchoices

Code and data repositories that don't protect against unauthorized changes.

Learn more about your ad choices. Visit megaphone.fm/adchoices

An attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

The absence of telemetry that could help network defenders detect and respond to hostile attempts to compromise a system. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Ineffectual confirmation of a user's identity or authentication in session management.

CyberWire Glossary link: https://thecyberwire.com/glossary/owasp-identification-and-authentication-failure

Audio reference link: “Mr. Robot Hack - Password Cracking - Episode 1.” YouTube Video. YouTube, September 21, 2016.

Learn more about your ad choices. Visit megaphone.fm/adchoices

An open source Java-based software tool available from the Apache Software Foundation designed to log security and performance information. 

CyberWire Glossary link: https://thecyberwire.com/glossary/log4j

Audio reference link: “CISA Director: The LOG4J Security Flaw Is the ‘Most Serious’ She’s Seen in Her Career,” by Eamon Javers (CNBC) and Jen Easterly (Cybersecurity and Infrastructure Security Director) YouTube, 20 December 20 2021.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Software users are allowed access to data or functionality contrary to the defined zero trust policy by bypassing or manipulating the installed security controls. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

A security philosophy that assumes adversaries have already penetrated the digital environment and tries to reduce the potential impact by limiting access by people, devices, and software to only the resources essential to perform their function and nothing more. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

The state of a web application when it's vulnerable to attack due to an insecure configuration. 

CyberWire Glossary link: https://thecyberwire.com/glossary/owasp-security-misconfiguration

Audio reference link: “What Is the Elvish Word for Friend?” Quora, 2021.

Learn more about your ad choices. Visit megaphone.fm/adchoices

A broad OWASP Top 10 software development category representing missing, ineffective, or unforeseen security measures.

CyberWire Glossary link: https://thecyberwire.com/glossary/owasp-insecure-design

Audio reference link: “Oceans Eleven Problem Constraints Assumptions.” by Steve Jones, YouTube, 4 November 2015.

Learn more about your ad choices. Visit megaphone.fm/adchoices