A disciplined workflow for recording, assigning, and tracking security incidents or investigations from the first alert to formal closure. It combines ticketing, evidence capture, task ownership, and reporting so every step is auditable—helping teams maintain chain of custody, meet compliance mandates, and extract post-incident lessons.
Further reading:
The ongoing process of ensuring that an organization’s software, infrastructure, and operational practices meet all applicable external regulations (e.g., GDPR, HIPAA, PCI-DSS) and internal policies or frameworks (ISO 27001, SOC 2, CIS Benchmarks). Achieving compliance involves mapping requirements to concrete controls, verifying those controls through audits and continuous monitoring, collecting evidence (logs, test results, access reviews), and remediating gaps on a defined schedule. In a QA context, testers validate that the product and its development pipeline enforce mandated safeguards—such as encryption, access restrictions, and data-retention rules—so releases ship with provable adherence to legal and contractual obligations.
Further reading:
The set of practices and tools that protect containerized workloads throughout the life cycle—from image creation and registry scanning to runtime monitoring and network segmentation. It addresses vulnerabilities in base images, misconfigurations in orchestration platforms (e.g., Kubernetes), and threats such as container breakout.
An automated approach to proving and maintaining adherence to security and privacy standards (e.g., SOC 2, PCI-DSS) on an ongoing basis rather than at scheduled audits. Integrations with CI/CD pipelines, cloud APIs, and policy-as-code frameworks generate evidence in real time, reducing audit preparation overhead.
A proactive, hypothesis-driven search for adversaries who have slipped past preventive and detective controls. Analysts combine threat intelligence, behavioral analytics, and deep knowledge of attacker tradecraft (e.g., MITRE ATT&CK techniques) to iteratively query logs, endpoints, and network telemetry, surfacing stealthy indicators of compromise before damage escalates.
Further reading:
A combination of tools and policies that continuously monitor data at rest, in motion, and in use to stop unauthorized exposure of sensitive information (e.g., PII, source code, trade secrets). By inspecting content and context, DLP can automatically block, quarantine, or encrypt risky transfers—such as emailing confidential files, copying to USB, or uploading to unsanctioned cloud apps—helping organizations meet regulatory mandates and reduce breach impact.
The practice of embedding security checks, controls, and culture directly into the DevOps pipeline. Automation (e.g., SAST/DAST scans, policy gates) and shared ownership ensure that security issues are detected and remediated as early—and as fast—as code moves from commit to production.
Further reading:
Software agents that continuously monitor endpoints (laptops, servers, VMs) for malicious behavior. They use behavioral analytics and threat intelligence to surface indicators of attack, enable rapid containment (isolation, process kill), and provide forensic data for root-cause analysis.
A unified framework of policies, processes, and technologies that ensures the right users — whether human or machine — have the minimum necessary access to the right resources, at the right time, and for the right reasons. It centralizes identity creation, lifecycle governance, authentication (SSO, MFA), and fine-grained authorization (RBAC/ABAC) across cloud and on-prem environments, while logging every action for auditability and compliance.
A structured, repeatable process for detecting, analyzing, containing, eradicating, and recovering from security events. Runbooks, communications plans, and post-incident retrospectives help teams minimize damage, meet regulatory deadlines, and strengthen defenses.
The principle of granting users and services only the minimum permissions needed to perform their tasks, and nothing more. By limiting the blast radius of compromised credentials, it curbs unauthorized actions and data exposure.
An access-control method that requires users to present at least two distinct forms of verification (e.g., password plus hardware token or biometric) before gaining entry. By layering “something you know,” “something you have,” and/or “something you are,” MFA drastically reduces the success rate of credential-based attacks.
A controlled, goal-oriented exercise in which trained security professionals (internal or third-party) emulate real-world attackers to identify and exploit vulnerabilities in live systems, networks, or applications. Pentesters combine automated scanning with manual techniques—reconnaissance, social engineering, privilege escalation—to map attack paths, demonstrate business impact, and deliver a report with reproducible findings, severity ratings, and recommended fixes that feed into the organization’s QA and risk-management workflows.
Technology and workflows that secure, monitor, and govern accounts with elevated rights (e.g., admin, root, service accounts). Features like credential vaulting, session recording, and just-in-time access block misuse while preserving audit trails.
An in-process security technology that instruments an application to detect and block attacks in real time. By analyzing runtime behavior (inputs, system calls, data flows), RASP can stop SQL injection, command injection, and other exploits without external WAF rules.
A framework that weaves security activities—requirements, threat modeling, secure coding, code review, and pen testing—into every phase of software creation. The goal is “shift-left” risk reduction: catching defects early when they’re cheaper to fix.
The orchestration of security tasks—such as alert enrichment, phishing triage, malware containment, and playbook-driven response—via scripts, APIs, and SOAR platforms. By letting software handle repetitive, time-sensitive actions at scale, teams cut mean time to detect and respond (MTTD/MTTR), reduce human error, and free analysts for higher-value investigative work.
Further reading:
A centralized platform that collects, normalizes, and correlates logs and security events from across an environment. Real-time analytics, rule-based alerts, and long-term storage let analysts detect anomalies, investigate incidents, and demonstrate regulatory compliance from a single console.
A detailed inventory of all components, libraries, and licenses that make up a software release. SBOMs let organizations trace dependencies, spot vulnerable open-source packages, and comply with emerging software-supply-chain regulations.
A white-box security technique that scans an application’s source code, bytecode, or compiled binaries at rest—before runtime—to detect flaws such as injection points, insecure cryptography, and hard-coded secrets. SAST tools integrate into IDEs and CI pipelines, highlight the exact file + line of vulnerable code, and provide remediation guidance, enabling developers and QA to “shift left” by fixing issues long before deployment.
Curated data plus contextual analysis about adversaries, their indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). Consuming this intel—via feeds, reports, or threat-intel platforms—helps security teams prioritize defenses and hunt emerging threats proactively.
A continuous cycle of identifying, prioritizing, remediating, and verifying fixes for software and infrastructure weaknesses. It blends asset inventory, automated scans, threat context, and patch orchestration to keep known flaws from becoming exploitable breaches.
A security model that assumes no user, device, or workload is inherently trustworthy—even inside the perimeter. It enforces least-privilege access through continuous authentication, micro-segmentation, and policy-based controls to reduce lateral movement.