Managed Services Glossary

Parent topic:Managed Services Platform User Guide

0–9

2FA

Two-factor authentication (2FA) is a two-step authentication process for logging into MSP.

3D service

A 3D service allows users to run unlimited tests, one at a time, for different application types, such as Web, Mobile, and SCR. Users can choose from the following assessment types for the test: DAST-E, DAST-S, PT-S, PT-E, SAST-A, SAST-E, SAST-S, SAST-C, MAST-S, and MAST-C.

A

a-la-carte service

A test type that is restricted to just one assessment. The following test types are considered a-la-carte services: DAST-E, DAST-S, NST-S-250IP, NST-S-500IP, PT-S, PT-E, SAST-A, SAST-E, SAST-S, SAST-C, MAST-S, and MAST-C.

application

An application is the software performing a set of actions. In the context of MSP, it stands for a software application developed by Black Duck or by any other third party.

artifact

General term to indicate an object; usually a report or a customer-uploaded file, that is used in the security assessment.

Authy

Authy brings the future of strong authentication to the convenience of your Android device. The Authy application generates a secure two-step verification token on your device.

automated/manual testing state

This state provides an update indicating that the assessors have started their manual/automated tests.

C

complete test state

A test that has reached completion. After the security consultant has completed running all of their tests and formatted the findings into a report, the assessment is considered complete.

D

dynamic application security test (DAST)

A Dynamic Application Security Test (DAST) is a service that dynamically tests to find certain vulnerabilities in Web applications while they are running in production.

demo/scoping call

A Managed Services demo is also known as a scoping call. This is a communication call where customers can ask questions to better understand the Managed Services application and to identify the scope of what needs to be tested. For any test to be scheduled, a list of questions about the application being tested must be answered by the customer. These questions are asked so that an assessor can understand the credentials to access the application, test requirements, and the application's security settings.

draft test

For a test to be scheduled, a list of questions must be answered. If some of the questions cannot be answered at the time of a test submission, the test can be saved as a draft test. The user can then resume the test scheduling at a later time.

F

finding

A potential security problem that is identified as a result of running a tool or script.

G

Google Authenticator

Google Authenticator is a 2FA authenticator by Google. It implements two-step verification services using the time-based one-time password algorithm and HMAC-based one-time password algorithm for authenticating users of software applications.

I

identity provider (IdP)

An Identity Provider (IdP) is a entity that creates, maintains, and manages identity information for users. It provides authentication services to the relying applications.

in-progress test state

A test state that indicates that a scan is currently in progress. After the test has started, its status isin progress; that is, the assessment is currently running to find security problems.

L

lead day

The time period (usually in days) before starting a production test, during which no other production scan can be scheduled. This is usually the downtime before an assessment begins. Sufficient time is provided to prepare an for an assessment since it involves various stakeholders (also known as Scan Point Of Contacts).

M

mobile application standard test (MAST)

A Mobile Application Standard Test (MAST) is a service that tests mobile device applications for functionality, usability, and consistency.

Microsoft Authenticator

Microsoft Authenticator is a 2FA authenticator application by Microsoft for mobile devices. It generates time-based codes used during the two-step verification process.

N

network security testing (NST)

Network Security Testing (NST) is a service that assesses the target network for security vulnerabilities and findings.

O

on-hold test state

A test can be moved into an on hold state from any of the other states. A test is on hold when the assessor is awaiting more information from the customer, or when the customer wants to pause an assessment for some reason; for example, environmental issues or a blocking issue.

order

A representation of a purchase of a service by the customer.

P

pen testing (PT)

Pen (penetration) testing, also known as PT, is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit.

point of contact (POC)

Point of Contact. A stakeholder from the customer side to monitor and manage the application during the security assessment.

pre-qualification state

Pre-qualification is the first step, where the assessor gathers all the information from the different stakeholders. The goal of pre-qualification is to identify and confirm the scope of the assessment and ensure that all assessment-related formations or artifacts are provided by the client before starting the assessment.

Q

QA/QC state

This state provides an update indicating that the assessors have started verification of findings reported by assessors.

R

role-based access control (RBAC)

Role-based access control (RBAC) is a set of rules that control the privileges and available tasks for a particular user. RBAC components often include role permissions, user roles, and role-role relationships.

report

The findings and results that are presented to the customer after performing tests on a customer's application. Will be in a format that is specific to a test type and/or customer.

REST API token

The REST API token is an alphanumeric value generated by the system to access REST APIs exposed to customers. Due to safety reasons, after the token is generated its value cannot again be retrieved. Instead, the token can be regenerated.

roles

A collection of rules that indicate all of the available tasks for a set of users.

S

security assertion markup language (SAML)

A Security Assertion Markup Language (SAML) is an SSO protocol for Web browsers, which uses secure tokens. SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) such as Okta, and a service provider (SP) such as MSP, Polaris, RGP, and others.

static application security test (SAST)

A Static Application Security Test (SAST) is a service that analyzes application source code, byte code, and binaries for coding and design conditions that indicate security vulnerabilities.

source composition analysis (SCA)

Source Composition Analysis is primarily binaries scanned for usage of third-party libraries, resulting in a map of libraries used versus their licensing.

scan/test/assessment

Targeted test performed by a security consultant on the customer's application/network to find potential security issues.

scoping form

A set of questions that need to be answered by the customer before the security assessment can be performed. This is to aid the consultant to arrive at the scope for the test. Since the depth of test for each product is different, a different set of questions will be available per product.

scoping state

Scoping state is used to determine the scope of a given assessment required by assessors.

security vulnerability

A security issue that is identified within the application during a test or scan. Every assessment could result in the uncovering of security problems within the application.

service

A manifestation of the product for a customer is called a service. When a customer buys a product, the product is represented as a service.

service-level agreement (SLA)

A service-level agreement, or SLA, is a contract between a service provider and client that defines the service provider's level of output or time period expected to turn around a service request or security assessment. It is measured in days and hours.

service provider (SP)

A service provider is a system that receives and accepts authentication assertions with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).

single sign-on (SSO)

Single Sign-On, also known as SSO, allows a user to be logged in to multiple applications with just one set of credentials.

suspended test state

The status of a test that has been suspended or canceled.

T

target

A target represents the URL of a Web application when the system under test is a Web application. It represents the type of operating system when the system under test is a mobile application. It represents the programming language type when the system under test is source code.

target group

A target group represents a logical grouping of targets. Groups can be used to assemble together related targets; for example, all production targets.

target type

A target type is an application, such as an Android mobile app or Java source code, that your organization wants to test for security vulnerabilities. Target types include: Web target, Mobile app, Network target, Source code target, Architecture target, and Cloud target.

test revalidation/retest

A test revalidation is also known as a retest. A test is revalidated when the customer wishes to assess if the issues reported previously have been fixed.

test state

An assessment request passes through various stages before a test is considered complete. At the end of a testing process, a test will uncover any vulnerabilities and organize its findings in a report. After the test is submitted, the test can be in a queue; that is, awaiting an assessment. This could mean it is waiting for an assessor to begin tests to uncover security problems.

token

A token represents a string of hex values that can be exchanged or redeemed for a service. There are five different types of tokens available: Onboarding, Onboarding with services, Top up, New service, and Top up validity.

U

upcoming test state

After a test is submitted, the test is marked as being in an "upcoming" test state. This indicates that the scheduled date has not yet lapsed.

V

vulnerabilities

Vulnerabilities are potential security issues that are reported after the tools have run and tests have been performed.