• Asset (Information Asset): data and information used, processed, or stored by applications that an unauthorized threat agent attempt to gain. 
    • Data is factual information used for the purpose of reasoning, discussion, or calculation, while information is the communication or reception of knowledge or intelligence. (Webster, 2004)
    • Information assets are constantly processed and combined to form new information assets. (
    • Four levels of classification for Information Assets (
      • Unrestricted: Information that is created in the normal course of business that is unlikely to cause harm. Unrestricted information is available to the public.
      • Protected: Information that is sensitive outside of the organization and could impact service levels or performance, or result in low levels of financial loss to individuals or enterprises. Protected information is available to employees and authorized non-employees.
      • Confidential: Information that is sensitive within the organization and could cause serious loss of privacy, competitive advantage, loss of confidence in government programs, damage to partnerships, relationships and reputation. Confidential information is available only to a specific function, group or role.
      • Restricted: Information that is extremely sensitive and could cause extreme damage to the integrity, image or effective service delivery of the organization. Extreme damage includes loss of life, risks to public safety, substantial financial loss, social hardship, and major economic impact. Restricted information is available only to named individuals or specified positions.
  • Weakness: a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software. This term applies to mistakes regardless of whether they occur in implementation, design, or other phases of the SDLC. (CWE)
  • Vulnerability: an occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness. (CWE)
  • Threat: a potential violation of security. (ISO 7498-2)
  • Attack: a well-defined set of actions that exploit the vulnerabilities in applications and, if successful, would result in damage to an asset.
  • Attack Surface: the scope of functionality that is available to unauthenticated users.
  • Attack Path
    • a technique or method by which a hacker can gain access to a Web application in order to deliver a payload or malicious outcome. 
    • examples: viruses, e-mail attachments, Web pages, pop-up windows, instant messages, chat rooms, blog, etc.
  • Impact: consequences for an organization or environment when an attack is realized, or weakness is present.
  • Defense mechanisms (Countermeasures): are defensive technologies or modules that are used to detect, deter, or deny attacks. Necessary countermeasures in an application should be identified using threat analysis to ensure that the application is protected against common types of attacks based on the threats it faces. A weakness or design flaw of a countermeasure, or the lack of a necessary countermeasure results in a vulnerability that can make the application susceptible to attacks. (OWASP)

Other definitions at WASC Glossary