Glossary

The glossary is a constant work-in-progress. If you have words you’d like to have defined let me know. Or if you have definitions that are messing, let me know that too.

3 | 4 | a | b | c | d | e | f | g | h | i | j | k | l | m | n | p | s | v | w | z

3G -  The 3rd generation of cellular wireless standards. 3G is implemented in a variety of non-compatible ways by various carriers. This includes CDMA, HSPA, and GSM for the most part. Typical performance is required to support peak data rates of 200 kbit/s. Some modern hybrid systems support several Mbit/s.
- Synonyms: HSPA+
4G -  The 4th generation of cellular wireless standards - it's the successor the 3G. There is a vast difference between how carriers interpret and implement 4G at the current time, ranging from HSPA to WiMax to LTE, each has difference performance characteristics. The standard requires peak data rates from 100 Mbit/s for high mobility to 1Gbit/s for low mobility.
- Synonyms: static code analysis
AJAX -  Asynchronous JavaScript and XML. It's a set of web technologies that help create interactive web applications.
- Synonyms: AI
ALM -  Application Lifecycle Management is the set of tools and processes to manage software from inception through developing, testing, deployment, and maintenance.
- Synonyms: Application Lifecycle Management
artificial intelligence -  An attempt to make computers work/talk/act like people. Traditional definitions included a simple test that if a person dealing with a computer, for example via a keyboard and monitor, could not tell that there was a computer on the other end, then it was artificial intelligence. Modern definitions are more strict.
- Synonyms: AI
backdoor -  An intentional vulnerability or weakness left in a system that allows certain privileged people to access a system while bypassing normal security mechanism. Backdoors are accessible to everyone but not intended to be published - relying on "security through obscurity". In general they tend to be found and published and used by the wrong people.
- Synonyms: back-door, backdooring
bad actor -  a person or group who actively seeks to break computer security, compromise applications, or steal data for malicious purposes. Sometimes called hacking, but hackers but or may not have good intentions.
BASIC -  Beginners All Purpose Symbolic Instruction Code. A programming language designed specifically for beginners.
- Synonyms: AI
brute-force -  Brute-force is a technique of trying every possible combination when attacking a system. Rather than using a sophisticated method or insider information, you simply start at 1 and try every possible thing. For example if you have a 4 digit password, you can run attacks starting with 0000 and continuing through 9999 until you get in. Secure systems normally take steps to make sure attackers cannot use this method by putting time delays and lockouts into the system.
- Synonyms: bruteforce, brute-forcing, bruteforcing
CAPEC -  CAPEC stands for Common attack pattern enumeration and classification and is a dictionary of known attack patterns used by hackers / bad actors / adversaries to exploit security vulnerabilities. See https://capec.mitre.org/
cloud computing -  From NIST: "cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
- Synonyms: Subversion
code review -  Code review is a process where programmers look at each others code and evaluate it's fitness for the intended purpose. It can find mistakes in design and implementation beyond simple syntax problems and improve quality.
- Synonyms: peer code review, peer review
Controller Area Network -  Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.
- Synonyms: CAN bus, CAN
CPU -  The CPU or Central Processing Unit is the key brain of the computer, it's the part where most computation is actually done.
- Synonyms: central processing unit, processor, microprocessor
cryptojacking -  using someone else's computer to mine cryptocurrency. Cryptocurrency relies on complex equations that are CPU computationally intensive, but solving these equations gives you currency. Cryptojack payloads often come through malicious web pages.
- Synonyms: cryptojack
CVE -  CVE stands for "Common vulnerabilities and exposures" and is a way to define a particular security vulnerability in application, system, device, etc. Each security problem gets a unique CVE identifier and is listed as well in the NVD registry. Additionaly, sometimes further efforts can be linked to the underlying issues in application code itself, and will associate the CVE with particular CWE IDs. See https://cve.mitre.org
CWE -  CWE stands for "Common weakness enumeration" and is a way to define a particular security issue in programming code. CWE is a security effort lead by the US government and industry to define a taxonomy for coding problems that lead to security vulnerabilities. Each vulnerability reported has an CVE ID and should be linked to the underlying CWEs that lead to the issue. There are currently approximately 800 items defined in CWE and efforts are underway to map their technical impacts to what kinds of problems the weakness may cause, as well as ISO 27010. CWE is often known for it's CWE Top 25 and On the Cusp lists of the most common software security problems. See https://cwe.mitre.org
DAST -  DAST tests an application for security vulnerabilities by monitoring and probing an application while it is actually running - thus the dynamic test. DAST starts from inputs and is a black-box or external view. This gives is a very realistic view of application behavior, but is difficult to be completely thorough. Penetration testing or pen-test is a common form of DAST.
- Synonyms: Dynamic Application Security Testing
denial-of-service -  Attackers try to make a computer, network, or application unavailable to end-users. For example by overloading it with too much traffic as in a distributed denial of service.
- Synonyms: DoS, DDoS
Development Testing -  Development Testing is a software development process that involves practices such as static analysis, data flow analysis, metrics, peer code review, unit testing, code coverage and other steps that can be performed at development time. The goal is not to replace traditional QA, but to reduce time and cost by catching problems earlier.
- Synonyms: salting
DISA -  Defense Information Systems Agency - responsible for IT through the DoD - Department of Defense. For examples, creates and maintains SRG and STIG guides that help people install, configure, deploy, and monitor systems and applications securely. See https://www.disa.mil/
DMCA -  A United States digital rights bill signed in 1998 by Bill Clinton. The aim of DMCA is to protect the rights of both copyright owners and consumers. The act is controversial and some feel that it limits innovation and consumer choice to the benefit of existing content interests such as the RIAA and movie industry.
- Synonyms: Digital Millenium Copyright Act
Dongle -  A small electronic device like a USB drive that provides security. Sometimes used for secure access. Also used to hold license keys for controlled software.
early-adopter -  Someone who likes to have the latest and greatest things. They upgrade because something is newer, bigger, faster, has better numbers, etc. Sometimes they're right, but frequently the benefit of the new numbers is not measurable.
- Synonyms: static code analysis
ESX -  virtual machine software called a hypervisor from VMware. It allows you to dedicate a machine to running other virtual machines, without a large OS in the way.
- Synonyms: ESXi
false positive -  A result that is incorrect. Strictly speaking, it means that the tool providing the answer got it wrong. Generally it has a broader usage, meaning an error message that the developer doesn't think is important or real, either because of context or misunderstanding by the developer.
- Synonyms: data flow analysis
Flash -  Web-based multimedia platform. Used for putting animation, interactivity, and video on web pages.
- Synonyms: AI
flow analysis -  A form of static analysis that works by analyzing software by tracing data flows and paths that might be used when running the application. It can find weaknesses, but is subject to false positive results because the paths and data it finds my be improbable or impossible.
- Synonyms: data flow analysis
FRAND -  Fair Reasonable and Non-Discriminatory - a term used to describe certain patents that have been used in industry standards. It allows patent licenses on well defined fair terms for all users to support implementation of standards, such as Wi-Fi
- Synonyms: RAND
Git -  Git is a version control or source control system or SCM. It's well-suited for open-source type projects that are decentralized and rely on merging.
- Synonyms: Subversion
GPU -  A Graphics Processing Unit or GPU is a logic chip that perform computations related to graphics. It does the graphical work for the CPU in a traditional computer. This includes things like rendering shapes and putting output onto the screen.
- Synonyms: graphics processing unit
Heisenbug -  Slang for a bug that disappears when you try to fix or reproduce it.
- Synonyms: salting
HSPA -  HSPA is <i>High Speed Packet Access</i> and normally refers to 3G networks. Some companies such as AT&T have built what they call HSPA+ networks with speeds approximately double traditional HSPA networks.
- Synonyms: HSPA+
HTML5 -  HTML5 is the most recent version of the HTML standard. It is a language used to create web pages. Currently it is a draft standard, but it supported by all major browsers. HTML4 is the current actual standard.
- Synonyms: AI
hypervisor -  A light-weight OS that primarily sits between virtual machines and the hardware. Its job is to manage the physical resources and share them between the virtual machines. Since it's not a full-blown OS it takes less resources itself and provides better performance.
- Synonyms: ESXi
IAST -  IAST is interactive application security testing. It's also been known variously as hybrid security testing, gray-box, and glass-box. This technique blends the inside-out approach of SAST with the outside-in approach of DAST to give you deep code-level visibility of a running application while it's in a real running state. This helps reduce false positives but still has the thoroughness limitations of black-box techniques in that it's only as good as the test suite being run in terms of coverage.
- Synonyms: Interactive Application Security Testing
Internet of Things -  common devices that have been internet enabled in order to remotely monitor and manage them, or collaborate with other devices, or provide extra functionality by accessing the internet. Like an internet enabled thermostat that you can control with your smartphone - see the Nest from Google.
- Synonyms: IoT
Issue Tracking System -  Software that manages a list of problems or issues that an organization faces, such as bugs, tech support calls, etc.
- Synonyms: Problem Report System, PR, Bug Tracking, Bugzilla, Trouble Ticket
JSON -  JSON or JavaScript Object Notation is a language independent text format. The purpose is to be able to transfer data/information between applications without having to have the same OS, file format, etc. It's a lightweight data-interchange format that is completely language independent but with some conventions.
- Synonyms: javascript object notation
JVM -  JVM is the Java Virtual Machine. This is the program that interprets the Java byte code and actually runs a java program. Unlike traditional standalone applications such as those written in C/C++, you cannot simply execute a Java program, you must run it using a virtual machine to translate it to the local or native instructions.
- Synonyms: Java Virtual Machine
K&R C -  The original version of the C computing language was frequently known as K&R C for it's inventors, Kernigan and Ritchie. Later it was codified by the ansi comittee, in a variant known by old-timers as Ansi C.
- Synonyms: real C
Lisp -  A family of programming languages designed to facilitate artificial intelligence. The name is short for "LISt Processing". The language was created in 1958.
LTE -  LTE or <i>Long Term Evolution</i> is one of the most common methods of supporting high-speed 4G wireless standards. It uses 3GPP technology and can work with both CDMA and FSM. In the USA Verizon and T-Mobile use it, while AT&T have used different 3G hybrid technologies but have planned LTE rollouts.
- Synonyms: Long Term Evolution
Man-in-the-middle -  Man-in-the-middle (MITM) attacks are where a person or software sits in the middle of communication between two parties. For example between your computer and your bank. Web MITM attacks are often performed by self-signed root certificates where someone like a hotel or computer manufacturers certifies the identity of both parties without actually having the authority. Often this is done for advertising purposes to either monitor behavior or inject ads into a data stream. It also exposes any of the data that is supposedly securely encrypted, like your bank credentials.
- Synonyms: MITM
MISRA -  MISRA or Motor Industry Software Reliability Association is a set of programming guidelines for C and C++ software development. The goal of the guidelines is to help reduce risky code upfront by avoiding language constructs that are more prone to bugs. This will increase automotive reliability, safety and quality.
- Synonyms: Motor Industry Software Reliability Association
NIST -  National Institute of Standards and Technology
- Synonyms: Problem Report System, PR, Bug Tracking, Bugzilla, Trouble Ticket
NPE -  Often referred to an a "patent troll". NPE may be a perfectly legitimate inventor, with an idea that is useful and has been stolen by others, rather than independently invented. Or it may in fact be a patent troll, simply filing obvious ideas and then suing others.
- Synonyms: non-practicing entity
NVD -  US National Vulnerability Database is a repository of known security issues in software, devices, systems, etc. Each issue can be linked to a CVE. Data is stored in a common format called SCAP to enable easy automation in order to update notification of needed patches and other remediation. See https://nvd.nist.gov/
Patent troll -  A company that enforces dubious patents (IE obvious things that shouldn't be patentable) against other companies claiming the invention was "stolen". Some define this an NPE or non-practicing entity, but the terms are non synonymous.
pattern-based analysis -  A form of static analysis where patterns of either good or bad code are stored as rules and compared against a code base without executing the code, to find potential violations.
- Synonyms: static code analysis
Phishing -  A security attacked based on tricking you to put important data like your login and password into a fake website. For example, a faked email from your bank, even using the proper bank picture you're expecting. They tell you there has been a breach and you need to login immediately and change your password. Don't do it, go to the website directly and see if they have any message there. When in doubt, call the company.
salted hash -  A method of adding a random sequence of characters to a password before encrypting it, making them much more difficult to crack.
- Synonyms: salting
SAST -  SAST is security testing that is done on source, byte-code, or binaries but without actually executing them - thus the "static" testing. Typically this includes things like software metrics, static code analysis and even peer review. SAST provides a white-box or inside view to the application. It can both find possible vulnerabilities and weaknesses by looking for anti-patterns as well as enforcing secure software engineering standards by looking for proper patterns.
- Synonyms: Static Application Security Testing, application code scanning
SATE -  Static Analysis Tool Exposition is an effort by NIST to help people understand what static analysis tools are capable of, and what their limitations are.
- Synonyms: Problem Report System, PR, Bug Tracking, Bugzilla, Trouble Ticket
SBOM -  SBOM stands for Software Bill of Materials. It is a manifest of all the code in a system, device, or application including particular code and libraries from open source software, third parties, etc. It allows users to know what's actually in an application, and thereby do security update, recalls, etc. in the same manner that is currently done for hardware like for medical and automotive. In the USA there is an effort to better define common standards and methods around SBOM being headed by the NTIA. See https://www.ntia.gov/sbom
SCA -  SCA or software composition analysis means that you analyze what "other" software is included in your application or system. For example do you use a commercially available library, an open source library, or build OSS straight into your application. If so, then you should be scanning these from a security perspective for known vulnerabilities so you can patch and keep them up-to-date to avoid zero-day security issues.
- Synonyms: software composition analysis
SCAP -  SCAP stands for security content automation protocol. It's an open protocol used by NVD to enable easy automation of security vulnerability notification, research, tooling, etc. See https://csrc.nist.gov/projects/security-content-automation-protocol/
SCM -  Software configuration management aka SCM or Source Code Control System or Source Control aka Version Control. A system that keeps track of changes and revisions in software, as well as facilitating cooperative development.
- Synonyms: Software Configuration Management, Source Code Control System, Source Control, Version Control
security certificate -  A digital artifact used in cryptography for secure connections like SSL. The certificate is used to authenticate who a user was, letting you know that you're dealing with the person you think you are. Certificates are normally issued by authorities who take steps to ensure identity before issuing any certificate. There are also self-signed certificates that you can create for yourself but do not have the same level of trust. In essence you are saying "I am who I say I am." For more details see wikipedia.
- Synonyms: digital certificate, identity certificate, ssl certificate
SoC -  System on a chip. Rather than traditional computing where a system consists of a CPU and separate memory, graphics processor, etc, the SoC is essentially a small computer on a single chip - ideal for mobile devices.
- Synonyms: system-on-a-chip
SRG -  SRG stands for Security Requirements Guide. It is a document created and maintained through DISA and provides guidance for cybersecurity both for specific software, hardware, and devices as well as general software not covered by a specific STIG or SRG. See https://public.cyber.mil/stigs/srg-stig-tools/
static analysis -  Any form of software analysis that can be done on the code without actually executing the code. Encompasses techniques like pattern-based analysis, metrics, code review, etc.
- Synonyms: static code analysis
STIG -  STIG is an acronym for Security Technical Implementation Guide and is a document created and maintained by DISA to help organizations install, configure, deploy, and monitor applications, systems, and devices in a safe and secure manner, especially on a DoD network. See https://public.cyber.mil/stigs/
SVN -  SVN aka Subversion is a source control system or SCM, designed to work similar to CVS but with improvements to address limitations inherent in CVS.
- Synonyms: Subversion
virtual machine -  a system that enables you to encapsulate all the parts of a computer without reliance on hardware. It's a machine, but isn't installed directly on the hard drive at boot time. This allows you to run different operating systems, versions, etc., at the same time without rebooting.
- Synonyms: vm
vulnerability -  This is a tricky word, especially in application security or cybersecurity. The simple definition in a software context is that the code has some problem that could be exploited by someone at some point. Some think of it as a piece of code with a proven exploit, IE a static analysis violation with a stack trace and values used. This is a very narrow definition that probably doesn't help improve the state of the art. I prefer the idea that it's code that is exploitable based on the body of knowledge (as encapsulated in software coding standards).
WebDAV -  Web-based Distributed Authoring and Versioning. It's a method of using the web (http) to share files and collaborate.
- Synonyms: Subversion
WiMax -  A long-range wireless technology for high-speed internet access. Originally it was classified as a 3G technology, but because of it's improved performance can also be classified as 4G, albeit slower than LTE. Supported by Sprint in the USA.
- Synonyms: Long Term Evolution
Zero-day -  A zero-day is a hack that has been newly published. The zero refers to the fact that it's published before a fix or patch is ready and available. Once there is a known patch then it just becomes a known vulnerability. Further though, if you don't keep your patches up-to-date then all vulnerabilities are zero-day problems for you.