3rd Generation Partnership Project (3GPP) An umbrella term for a group of standards organizations that develop mobile telecommunication protocols.

4G Fourth generation of broadband cellular network technology.

5G In telecommunications, 5G is the fifth generation technology standard for broadband cellular networks.

6LoWPAN IPv6 over Low-Power Wireless Personal Area Networks.

Access privilege policy Controlling who can physically gain access to a secured space starts before that secured space.

Advanced Encryption Standard (AES) A block cipher encryption standard. AES can create keys from 128 bits to 256 bits in length.

Adware Advertising-supported software that automatically generates online advertisements.

Agile software development A software development methodology; a set of principles based on a philosophy that create a software development process that is iterative, collaborative, and productive.

Americans with Disabilities Act Standards for Accessible Design A U.S. federal law that includes the regulations for accessibility of computer hardware and software, websites, phone systems, fax machines, copiers, and similar technologies.

Annualized Loss Expectancy (ALE) The product of the annual rate of occurrence and the single loss expectancy.

Annualized Rate of Occurrence (ARO) The probability that a risk will occur in a particular year.

Anti-Money Laundering (AML) The laws, regulations, and procedures against efforts to disguise illicit funds as legitimate income.

Application hardening Securing software against reverse engineering and tampering.

Application Programming Interface (API) Provides application developers with the capability to include common or routine tasks in an app to avoid repetitive programming.

Application security The use of secure software development process.

Archie A very early internet search engine that archived FTP archives.

ARPANET Advanced Research Projects Agency Network; the first wide-area packet-switched network to implement the TCP/IP protocol suite.

Asset A resource owned or controlled by a business used to produce revenue.

Attack surface All of the points an attacker can try to enter or extract data from a system.

Attack vector A specific path or method that can be exploited to break into an IT system.

Authentication A process that determines whether the person requesting entry access has proven that he or she is who they claim to be.

Automatic directory listing A feature of Apache web server that generates directory indexes automatically.

Backdoor attacks An attempt to infiltrate a system by taking advantage of its weak points.

Back-end The part of a website or software program that users do not see.

Black hat hacker The ultimate in malicious attackers who exploit weaknesses in applications and security to steal, damage, or destroy data or take control of the system.

Blacklist An access control method that denies access to the elements (email addresses, URLs, IP addresses, domain names, etc.) included on the list.

Broken link An internet or web URL or IP address that can no longer be reached.

Brute force attack Attempts to crack a cryptographic key or password simply by guessing.

Buffer A data area shared by hardware or software to overcome operations at different speeds or priorities.

Buffer overflow Occurs in an application when more information is stored in the buffer than the space reserved for it can hold.

Business-to-Business (B2B) One business sells products or services to another business.

Business-to-consumer (B2C) A business, store, shop, or vendor sells a product or service to a consumer.

California Privacy Rights Act (CPRA) A law that gives people the right to opt out of the sale and sharing of their personal information to third parties.

Call-to-action The next step an advertisement or webpage wants its audience to take.

CAMS Culture, Automation, Measurement, and Sharing; a model for DevOps development.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) Mechanisms used to protect against automated attacks.

Change management In IT, the practices that guide prioritizing, approval, scheduling, and execution of changes to IT systems.

CIA Triad Confidentiality, integrity, and availability are the keystones of any security program.

Client In a client/server network, the node requesting information from a server.

Client privacy agreement A website statement that states what the site publisher may do with client data.

Client/server The application supplies client-side support and server-side processing.

Client-side validation Client-side programming provides a uniform interface and interaction to users.

Cloud computing Shifts local processing to remote service providers over the internet.

Cloud security The technologies, policies, controls, and services that protect cloud data.

Cloud Security Posture Management (CSPM) A process for the identification and remediation of risks across cloud infrastructures.

Cloud service provider (CSP) A company offering some component of cloud computing.

Cloud Workload Protection Platform (CWPP) A cloud security approach with continuous threat monitoring and detection for operations in the public cloud.

Common Gateway Interface (CGI) An interface specification that enables web servers to execute external programs to process user requests.

Community Emergency Response Team (CERT) A national initiative that provides people with preparation for hazards that may affect a community.

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) A challenge-response system intended to tell humans from robotic computer programs.

Compliance The act of conformance with rules and policies that prohibit or regulate specific products, services, or processes.

Compound SQLi Statements that are used to change the logic of SQL statements when embedded in other SQL statements.

Computer Fraud and Abuse Act (CFAA) A 1986 law that criminalizes the act of intentionally accessing a computer without authorization.

Consumer-to-business (C2B) The roles of the business and the consumer are reversed.

Consumer-to-Consumer (C2C) A consumer uses this type of e-commerce page to find goods and services to buy, sell, or barter with another consumer.

Content adaptation Taking existing content in one form and making it compatible with a new use.

Content spoofing An attack, similar to XSS, which uses techniques that modify a webpage for malicious reasons.

Content-delivery network (CDN) A completely rendered SSG website stored on a server ready to display.

Continuous integration/continuous deployment (CI/CD) pipeline The required steps for delivering new versions of software.

Convergence The merging of various types of devices and technologies into a common or single form.

Cookie management policy A website statement that describes how cookies are used by the site owner.

Counter Terrorist Financing (CTF) A set of laws that seeks to stop the flow of illegal cash to terrorist organizations.

Cracker A person who breaks into computer systems by breaching computer security.

Credential stuffing A cyberattack in which an attacker uses a list of compromised user credentials to breach a system.

Cross-site request forgery (CSRF) An attack that forces authenticated users to submit a request to a web application against which they are currently authenticated.

Cross-site scripting (XSS) attack Takes advantage of two common features of websites: JavaScript and data input fields/forms.

Cryptanalytic software Software used to break encryption.

Cryptographic key A string of characters used in an encryption algorithm to encrypt plaintext data.

Cryptography The study of secure communication methods that limit access to a message to only the sender and intended recipient.

Crystal A lightweight agile development framework that focuses on individuals and their interactions.

Cybercriminals Individuals or teams who use technology to commit malicious activities on digital systems or networks intending to steal information or personal data.

Cyberstalking A form of harassment that can cause distress for the person being harassed.

Cyberterrorist A hacker who is typically more extreme than a hacktivist.

Data A collection of numbers, words, measurements, observations, or descriptions of things.

Data-at-rest Data stored on a secondary storage device.

Data Encryption Standard (DES) This encryption method provides the best performance but at a cost: the encryption security is lower.

Data-in-transit Data transmitted over a network.

Data Protection Office (DPO) A corporate position that is responsible for the proper care and use of customers’ information.

Data tampering Deliberately modifying data through unauthorized means.

Database administrator The person responsible for the maintenance and protection of data and information in a database.

Database designer The person responsible for the design, development, execution, and preservation of data in a database.

Datum A single piece of data.

DECT (Digital Enhanced Cordless Telecommunications) Cordless phones and communication devices.

Deep web The four-layer concept of the information and documents stored on the web.

Defense-in-depth (DiD) A security approach that uses a combination of advanced security tools in layers to protect an organization’s endpoints, data, applications, and networks.

Defensive programming A form of application and system design and development that is intended to withstand unforeseen circumstances to continue functioning.

Demilitarized zone (DMZ) A network security topology element with servers, such as web servers and DMZ servers, accessible to external and internal traffic.

Denial of service (DoS) attack An attack focused on denying access to a router or server, thus making a network unavailable.

Dependencies A software development term for when software must rely on other software to function properly.

Detection Discovering the state or existence of a condition, state, result, or fact in a computing environment.

Development team A group who works to develop a solution to a common issue.

DevOps Combines an organization’s software development and IT operations resources into one team that works in parallel and collaboratively throughout the development and deployment of a software solution.

Dictionary attack A cyberattack that uses a list of passwords to defeat a cipher or authentication mechanism (see Dictionary brute force attack).

Dictionary brute force attack A hacking technique that uses every possible combination of characters to discover an unknown password or encryption key.

Digital certificate A certification that a public key issued by the owner named on the certificate is, in fact, owned by that person or organization.

Distributed DoS attack An attack involving a large number of botnet computers that saturate the bandwidth, router, network buffers, and essentially all connectivity for the targeted network’s users.

Domain Name System (DNS) A TCP/IP standard that resolves domain names into their associated IP address.

Dynamic application scanner tools (DAST) A scanner that searches for vulnerabilities in a running application and sends automated alerts if it finds possible security vulnerabilities.

Dynamic Systems Development Method (DSDM) This system development method focuses on the goals of a project and the impact of its outcomes on the business and its operations.

E-commerce Electronic commerce; a digital business model where site visitors can buy or sell products online.

Electronic Communications Privacy Act of 1986 (ECPA) A law that protects wire, oral, and electronic communications while they occur, in-transit or stored on computers.

Elevation of privilege An attacker gains unauthorized higher-level permissions above those initially granted.

Encapsulation The process of enclosing data into a single entity.

Endpoint device A networked device that is the receiving end of a communication.

Enumeration Identifying and listing components of a website platform to be tested.

Escalated privilege An attacker is able to access resources at a security level above the limitations of a user account (see Elevation of privilege).

Evil twin An unofficial Wi-Fi access point set up by an attacker designed to have users connect to it instead of an official one.

Exploitation An attack that takes advantage of a vulnerability.

Exposure factor (EF) A subjective or predicted percentage for loss to a specific asset should a specific threat be carried out.

Extensible Markup Language (XML) A simple text encoding format derived from SGML (ISO 8879).

External security A security issue beyond a person or organization’s control.

Extreme programming (XP) The Agile-based methodology commonly used in smaller organizations with all of their resources in a single location.

Feature-driven development (FDD) This method focuses on the end-user and the prioritization of User Stories to prioritize the users’ most required features first.

File corruptor Software or malware that makes a file, folder, or file system no longer readable or usable.

File Transfer Protocol (FTP) A TCP/IP protocol used to download, upload, or transfer files between computer systems.

Fingerprinting Identifies the components making up a website and are to be tested in a test plan.

Fingerprinting attack Used to accumulate information about a targeted system.

Firewall Permits or denies incoming traffic to pass through into a network using defined rules.

Fixed wireless service A rural internet option for connecting a location to the internet with radio waves.

Format string attack A form of cyberattack in which the submitted data of an input string is evaluated as a command by the application.

Front-end The part of a website with which the user has direct interactions.

General Data Protection Regulation (GDPR) Establishes the rules and guidelines that govern the collection and use of PII for citizens of the European Union (EU).

General sales taxes (GST) A tax on consumer spending that is collected in stages at points of importation and on business transactions when goods change hands or services are performed.

Gigahertz The measurement of AC or EM current wave frequencies in billions.

Gopher An early internet protocol for distributing, searching, and retrieving documents.

Government sponsored A description for activities supported or paid for by a government.

Grey hat hacker A hacker who may violate ethical standards but, typically, for the common good.

Groupware Software allowing multiple dispersed users to work together on a project in real time.

Hacker A skilled IT person who uses technical knowledge to attack a computer system by nonstandard means.

Hacktivists Hackers who are promoting or exerting a cause.

Harassment The act of continued and regular unwanted actions against a victim.

Hardening The process of reviewing system settings and configuration and disabling nonessential functions and features and strengthening essential ones.

Harm In the context of cybersecurity, the damaging consequences that result from a cyberattack.

Health Insurance Portability and Accountability Act (HIPAA) U.S. federal law that protects patient health information from disclosure without the patient’s consent.

Honey trap A cybersecurity mechanism that uses a manufactured attack target to lure cybercriminals away from legitimate targets.

Host-based security A framework that implements security solutions on network hosts.

Hybrid application A software application that combines native applications with web applications.

Hybrid brute force attack An attack method that uses trial and error to crack passwords, login credentials, and encryption keys.

Hypertext Encoded text that links to other information.

Hypertext Markup Language (HTML) The basic scripting language for webpages that allows user to use hypertext links to be redirected to a new page.

Hypertext Transfer Protocol (HTTP) An application layer protocol used by a web browser to communicate with a web server.

Hypertext Transfer Protocol Secure (HTTPS) A secure version of the HTTP protocol that uses SSL/TLS to secure a transmission.

Identification The process used to uniquely ascertain the identity of a user or application running on a system.

Identity theft The result when a criminal uses PII of another person to assume his or her identity or commits fraud to gain financially.

IEEE 802.11 The standard for wireless Ethernet networks.

Impersonation A form of attack in which a cybercriminal impersonates a trusted company or individual to deceive people.

In-band SQLi A simple form of an SQL injection attack in which the attacker modifies a query and receives the results.

Incident response An organization’s systematic reaction to an information security attack or attempt.

Indexing A form of attack that can occur when a website shows directory listings for a site that could contain confidential data; also known as directory indexing.

Inference SQLi A type of SQLi attack that includes a conditional construct.

Information Data that have been selected, filtered, and organized to form the answer to a query.

Information disclosure Information shared about a website that an attacker can use to gain valuable information about a system.

Information leakage Occurs when an application or website reveals sensitive data that an attacker could use to exploit the application, the website, or its users.

InfoSec An abbreviation for “information security.”

Infrastructure as a Service (IaaS) A cloud service delivery method for an infrastructure that includes servers, storage, and networking, along with virtualization and other specialized components.

Infrastructure security The protection of information about the critical systems and assets of an organization against physical and cyber threats.

Injection attack An attack class in which an attacker injects code into a website or query or malware into a computer to steal, modify, or destroy data.

Input validation A screening process applied to data received from an external party.

Insider An authorized user of a system.

Instant messaging (IM) The near real-time exchange of messages through standalone or embedded software.

Integer overflow An arithmetic error caused when the result of an integer operation does not fit in an allocated space.

Integrity The condition in which data are kept accurate and consistent until authorized changes are made.

Internal link A hypertext link that allows navigation within a website.

Internal security A program of security measures that protect against threats from within an organization.

Internet Key Exchange (IKE) A protocol for secure and authenticated communication over a VPN circuit.

Internet Message Access Protocol (IMAP) An email protocol that stores email on a mail server and provides access to users as if the messages were on their device.

Internet of Things (IoT) A collection of interconnected devices that communicate without human involvement.

Internet Protocol (IP) This TCP/IP protocol defines the structure, assignment, and interpretation of network addressing, which is key to delivering messages to the intended destination.

Internet Protocol Security (IPSec) A suite of protocols and algorithms that secures transmitted data on the internet or public networks.

Internetwork The full name of the internet and the description of any network of networks.

Intrusion detection system (IDS) A system that monitors incoming network traffic for suspicious or unknown activity.

IPO model Input, process, and output model; the basic functional model for all systems.

IT managers The person typically responsible for coordinating, planning, and leading computer-related activities in an organization.

JavaScript A scripting language used to implement features on webpages.

Joint Application Development (JAD) A software development method used to design and develop computer-based systems.

Kanban A Lean workflow management method for defining, managing, and improving services that deliver knowledge work.

Keylogger Software that records the keystrokes of a user into a log file.

Know Your Business (KYB) A review of business practices aimed at preventing money laundering or terrorist financing activities.

Know Your Customer (KYC) Standards and requirements used by financial services companies to verify the identity of their customers.

Latency The time required for data to pass from one point on a network to another.

Lawful basis Under GDPR regulations, a company must have a legal basis for processing a customer’s data.

Layered security This approach to security uses multiple components to protect operations on multiple levels.

Lean software development (LSD) An Agile framework for streamlining and optimizing the software development process.

Li-Fi (Light Fidelity) A visible light communication system that transmits data at high speeds over the visible light.

Light weight Directory Access Protocol (LDAP) A protocol that provides a mechanism to access and query directory services systems.

Logical security Software protections for an organization’s systems.

Luring attacks A type of elevation-of-privilege attack in which an attacker entices a higher privileged element into taking an action on the attacker’s behalf.

MAC address filtering A process used to deny or allow specific MAC addresses to gain access or stay connected to a local network.

Malicious code Programming code or malware intended to exploit common vulnerabilities.

Malware A range of software that spans from nuisances and hoaxes to stealth capture to data destruction to system-seizing ransomware.

Man-in-the-middle (MitM) attack A network eavesdropping attack in which the attacker places a rogue device between a central device and a transmitting station.

Millimeter wave (mmWave) The band of the RF spectrum with wavelengths between 10 millimeters or 30 GHz and 1 millimeter, or 300 GHz.

Mitigation To minimize or prevent the potential for any loss or harm.

Multi-factor authentication (MFA) An authentication method that requires the user to provide two or more verification factors to gain access to a resource.

Multimedia Messaging Service (MMS) An extension of SMS, which allows you only to send text messages; MMS allows you to attach audio, images, or video.

Multimedia Messaging Service Encapsulation Protocol Allows users to send and receive self-contained multimedia messages.

Multiple points of presence (MPOP) The internetworking concept that a user can be present at different communications methods at the same time.

National Vulnerability Database (NVD) Identifies current vulnerabilities of networks and servers in its Common Vulnerability Scoring System (CVSS).

Native application An executable program developed for and running on the operating system and hardware it runs on.

Natural vulnerability A vulnerability is created by the weather, geological events, and unexpected catastrophes.

Network administrator The IT professional who manages an organization’s computer networks.

Next Generation Mobile Networks (NGMN) A group of researchers, engineers, manufacturers, service providers, and government agencies that is developing enhancements to 5G and the generations to come.

NSFNet An early network that resulted from research into advancing networking technology.

Open Web Application Security Project (OWASP) A nonprofit foundation with the mission to improve software security by developing or sponsoring open-source software and training and education.

Organizationally Unique Identifier (OUI) A 24-bit globally unique assigned number that identifies the manufacturer in a MAC address.

Outbound link Links on a website that redirect users to webpages on other websites.

Out-of-band SQLi An attacker is unable to use the same channel to launch the attack and gather results.

Output handling The methods used for the protection of outputs from a computer system or website. Improper methods can allow an attacker to modify the data sent to the client.

Over-the-Top (OTT) Content delivery on the internet that bypasses traditional channels.

Packet switching A method of formatting data into packets that are transmitted over a digital network.

Path traversal attack In this attack, attackers are able to access restricted directories and execute commands outside of the web server’s root directory.

Payment Card Industry Data Security Standard (PCI DSS) Maintains and updates the standards for credit card payment transaction processing.

Payment Services Directive (PSD2) A directive that regulates payment services and payment service providers in the EU.

Penetration testing (pen testing) Tests software in a live production environment where professional hackers attempt to access and crash the software.

Perimeter security The security measures at a network edge to protect the internal network from external attack.

Persistent cookies Small files stored on a user’s device that keep information, settings, preferences, or sign-on credentials that a user has previously saved.

Personally Identifiable Information (PII) Data and information that can be used to identify an individual.

Phishing attack A form of social engineering attack in which the threat actor poses as a trusted person to trick users into sharing sensitive information or sending money.

Physical security The program designed to protect the external physical property of an area, the authorized persons who enter and exit, and to control access to only authorized persons.

Ping flood A simple DoS attack form in which an attacker overwhelms a victim with ICMP Echo Request (ping) messages.

Ping sweep A network scanning method that identifies the range of active and inactive IP addresses on a network.

Platform as a Service (PaaS) A specialized configuration of hardware and software used for testing, prototyping, and other activities.

Polymorphic virus A complex file infector that is able to create different versions of itself to avoid detection, but still keep its basic function.

Potentially unwanted program (PUP) Programs commonly bundled in a software installation package from a download site.

Presence and availability Presence indicates the current availability and status of a system.

Pretexting A social engineering attack in which an attack creates a situation to lure in a victim and trick the victim into providing PII.

Principle of least privilege Principle that restricts users to only those account privileges required to fulfill the requirements of his or her assigned duties.

Privacy policy A legal statement disclosing the ways information is gathered, used, disclosed, and customer data are managed.

Process validation The collection and evaluation of data from the design stage through production.

Programmer A person who prepares and tests programs for computing devices.

Protocol A set of rules for formatting and processing data.

Qualitative analysis Collecting and analyzing nonnumerical data.

Qualitative assessment matrix (QAM) Provides an analysis of the relationships between the probability of an event and its impact on the organization.

Quantitative analysis A technique that uses mathematical and statistical modeling.

Radio frequency identification (RFID) Devices that use electromagnetic fields to automatically identify and track RF tags attached to objects.

Ransomware An encryption attack that encrypts specific important documents or data or the entire hard disk drive.

Rapid application development (RAD) Uses prototypes of software solutions and interfacing with stakeholders and end users for feedback to build toward the desired solution.

Real-time communication A telecommunications mode in which users exchange information instantly, with negligible latency or transmission delays.

Real-time Transport Control Protocol (RTCP) A protocol that works with RTP to monitor data delivery on large multicast networks.

Real-time Transport Protocol (RTP) A protocol that enables real-time connectivity for exchanging data.

Records of consent Proof that a user has given direct consent to the use or distribution of PII.

Red Flags Rule Requires businesses that accept payments to implement a written identity theft prevention program designed to detect the red flags of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage.

Repudiation The ability to deny or refuse to accept responsibility for an act or its consequences.

Request for Comments (RFC) A formal document drafted by the IETF that describes the specifications for a particular proposed technology.

Reverse brute force attack A brute force attack in which an attacker uses a common password against multiple usernames in an attempt to gain access to a network.

Revision-level tracking The management of changes to a document, program, or other information stored as a computer file.

Risk The possibility of suffering harm or loss.

Risk management The process of identifying, assessing, and controlling financial, legal, strategic, and security risks to an organization’s capital and earnings.

Risk matrix A risk assessment matrix used to define risk categorically and severity.

Rivest Cipher (RC) The RC algorithms are a set of symmetric-key encryption algorithms invented by Ron Rivest.

Rootkit A type of malware that enables an attacker to gain access to and infiltrate data on computers without being detected.

Routing detour attack An attack where XML content processors are injected to route sensitive information to an attacker-controlled outside location.

Sandbox A testing environment that isolates untested code and experimentation from the production environment.

Sanitization The inspection of user input for potentially harmful code and modifying the code according to predetermined guidelines.

Script kiddie An unskilled individual who uses scripts or programs typically developed by others to attack computer systems.

Scrum An Agile framework that prescribes roles, events, artifacts, and guidelines to implement its mindset.

Search engine optimization (SEO) A process used to increase the chances of a website being included in the first page.

Secure cookie A type of HTTP cookie that limits it to secure channels.

Secure Sockets Layer (SSL) An encryption-based internet security protocol.

Secure software development life cycle (SSDLC) A systematic, multi-step process that streamlines software development from its definition to its release.

Security association (SA) A logical connection between two devices for transferring data.

Security policy A formal document that defines the plans of a company to protect its physical and IT assets.

Server A computer/system that responds to requests from other computers to provide resources, data, services, or programs to other computers over a network.

Server-side include (SSI) injection An attack that exploits a web application by injecting scripts in HTML pages.

Server-side rendering (SSR) A performance-enhancing technique that generates a web server’s initial state as raw HTML and CSS before forwarding it to a browser.

Server-side Request Forgery (SSRF) A web security vulnerability through which an attacker can make a server-side application send requests to unintended locations.

Service-level agreement (SLA) A contract between a service provider and a consumer that defines the services, standards, and warranties offered.

Session cookie Cookies that remember users as they move within a website.

Session ID Data used by websites to identify sets of related message exchanges.

Session ID protection Using antivirus software or specialty software to prevent session ID hijacking.

Session Initiation Protocol (SIP) A signaling protocol that is used for creating and managing communication sessions.

Session management A communication process that manages sessions between a web application and users.

Session replay Technology used to watch a replay of a user’s session on a website.

Short Message Service (SMS) Provides users with the ability to send and receive short text messages often via smartphones or tablets.

Simple brute force attack A trial-and-error way to guess the username, password, and possibly encryption keys.

Simple Mail Transfer Protocol (SMTP) An internet standard protocol for electronic mail transmission.

Single Loss Expectancy (SLE) The predicted value of loss or harm caused by the occurrence of a risk on an asset.

Single page application (SPA) A webpage or application that loads only a single web document.

SIP user agent (UA) A network end point that sends or receives SIP messages to manage a SIP session.

SIP user agent client (UAC) A P2P communication gateway that generates network service requests.

SIP user agent server (UAS) A P2P communications point that receives incoming requests and determines responses.

Social engineering Using socialization as a means to manipulate someone into sharing PII and other confidential information.

Social networking Using social media websites and apps to interact socially with family, friends, and people with shared interests.

Software as a Service (SaaS) Applications subscribers can access on cloud servers via the internet through the subscriber’s web browser.

Software configuration management (SCM) A process that aims to provide better handling, organizing, and controlling requirements and other changes in an SDLC project.

Software development life cycle (SDLC) The methodology and process of planning, creating, testing, and deploying information systems across hardware and software.

Software development methodologies The frameworks used to plan, structure, and control the development of an information system.

Software-defined networking (SDN) Used to manage the increase in bandwidth usage due to video, audio, voice over Internet Protocol (VoIP), graphic images, and more through software.

SOHO Small Office/Home Office.

Something you are In MFA, a fingerprint, face, voice, or other personal biometric piece of information.

Something you have In MFA, a smartphone with an authentication app, a badge, or key card.

Something you know In MFA, a username, account code, password, or PIN code.

Spoofing A behavior in which an attacker masquerades as another person or trusted entity to cause a user to perform in a way beneficial to the attacker.

Spyware Malware that gathers information about a user and provides it to an attacker.

SQL injection (SQLi) Inserting SQL code statements into a webpage.

SQL injection attack An attack in which an attacker inserts SQL queries into a webpage to provide data regarding the actions of the webpage and user.

SSID (Service set identifier) The user-assigned identity code for a wireless network access point.

Stakeholder Anyone with a vested interest in the process or outcomes of an application development.

State sponsored See Government sponsored.

Static application scanning tools (SAST) A security testing methodology that analyzes application source code to identify any security vulnerabilities.

Static site generation (SSG) Specialized applications used to generate simple, multipage websites and web layouts.

Steganography The act of concealing a digital object within another digital object.

Store-and-forward communications A communications technique, commonly used by network switches, which receives an entire message before starting its forwarding processes.

STRIDE threat model Combines the CIA Triad with the first two elements of the AAA model (authentication and authorization) and repudiation to help identify the threats to a computing system.

Strong Customer Authentication (SCA) An EU regulation for reducing fraud and making online and contactless offline payments more secure.

Structured Query Language (SQL) This full term is no longer used in favor of just SQL.

Supercookie A file that contains information about a request made by a user.

System Development Life Cycle (SDLC) The development of an application passes through six phases from its initiation to its deployment.

Tampering To interfere in a harmful or disruptive manner.

Telnet A command-line protocol that provides an interpreter to communicate with another device.

Terms and conditions A set of instructions and definitions that apply to all parties of a contract.

Text messaging Composing and sending electronic messages from one device to another.

Third-party application A web app that is provided by an entity other than a user or a major software company.

Third-party cookie A cookie generated by a site advertiser to track user behavior.

Threat The possible action that could be taken against a vulnerability.

Threat action The description of the actions taken by the threat actor to cause or contribute to an incident.

Threat actor An attacker who carries out a threat.

Threat consequence The loss or harm that could occur should a threat be carried out.

Three Domain Secure 2.0 (3DS2) A credit card security protocol that adds a layer of authentication to an online card-not-present checkout process.

Top level domain (TLD) One of the domains at the highest level in the DNS hierarchy.

Transmission Control Protocol (TCP) A standard protocol that defines the establishment and maintenance of a network connection/session.

Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of communication protocols that enable application programs and computing devices to exchange messages over a network.

Transport Layer Security (TLS) A security protocol that facilitates privacy and data security for communications over the internet.

Triple Data Encryption Standard (3DES) Stronger encryption than DES, uses a 56-bit encryption key as well, but, as the name implies, it uses three of them.

Trojan horse A type of malware that appears to be a desirable file or object that contains a malicious program to compromise the security of a user’s device.

Tunneling Encryption applied to a message for transmitting data from one end point device to another.

Turing test A test to determine if a computer can think like a human being.

Ultra-low emission (ULE) Low-power chipset products with more than 600 meters of wireless range outdoors.

Uniform Resource Identifier (URI) A sequence of alphanumeric characters that identifies a logical or physical resource located on the web.

US-CERT see U.S. Computer Emergency Readiness Team.

U.S. Computer Emergency Readiness Team An interagency department of the U.S. government that protects the U.S. internet infrastructure by coordinating defense against cyberattacks.

User experience (UX) The feelings or emotions of a user when using a product, application, system, or service.

User Stories In a system development, a few simple language sentences to describe a desired outcome.

Value-added taxes (VAT) A tax on goods and services levied at each stage of production or processing where value is added.

Veronica A deprecated search engine based on the Gopher protocol.

Virtual private network (VPN) A communication technology that extends a private network over a public network.

Virtualization The process of creating virtual devices using software.

Vital interests In the GDPR, the subjects whose data were being collected and other data subjects.

Vulnerability A flaw or security weakness that could be exploited.

Vulnerability management The process of continuously identifying, categorizing, and remediating system security vulnerabilities.

War driving Searching for unsecured Wi-Fi networks using a laptop or smartphone from a moving vehicle.

WASC (Web Application Security Consortium) An international group of experts that produces open source and security standards for the web.

Waterfall model see System Development Life Cycle.

Web 1.0 The initial stage of the web characterized by static websites.

Web 2.0 The second stage of the web characterized by dynamic pages with user-generated content.

Web 3.0 The third stage of the web characterized by decentralization, blockchain technologies, and token-based economics.

Web 4.0 The fourth stage of the web characterized as an open, linked, and intelligent web.

Web application (web app) A program that is a part of a website but processed on the server-side.

Web Application Security Consortium See WASC.

Web developer Individuals who create websites.

Web hosting Online services that store a website’s content and make it accessible on the internet.

Web service An interface that masks a website’s implementation details to make it independent of hardware or software platforms.

Web Services Description Language (WSDL) An XML file that details what a web service does.

Web-based A description of software that facilitates user interactions with a remote server using a browser interface.

Web-based Real-Time Communications (WebRTC) An open-source project that provides web browsers with RTC capabilities.

Web-enabled A term that refers to an application capable of connecting to the web or running an application from the web.

Webmaster The person who designs, develops, markets, or maintains a website.

Website designer A person who creates the visual elements of a website.

WEP (Wired Equivalent Privacy) An obsolete wireless networking security protocol.

White hat hacker A contracted hacker who looks for vulnerabilities and reports any to the company or organization that engaged her or him.

Whitelist A security practice that lists permissible actions, sites, protocols, etc., for a system.

Whois A website service used to identify information about any domain name or website.

Wi-Fi Protected Access (WPA) A wireless security protocol developed to replace WEP.

WiMAX An IP-based wireless broadband technology.

World Wide Web An information system that enables documents and other resources to be accessed and shared over the internet.

WPA see Wi-Fi Protected Access (WPA).

WPA2 Increased data protection and network access control for Wi-Fi networks over WPA.

WPA3 Improved cybersecurity against personal networks.

XHTML-MP (Xtensible HyperText Markup Language Mobile Profile) The most recent web protocol for mobile services.

XML Path (XPath) language Path expressions are used to select nodes or node-sets in an XML document.

XPath injection attack An attacker can send bad data to a website to construct an XPath query for user-related XML data.

Zero-day vulnerabilities Weaknesses in software discovered by hackers but are unknown to the developer.

Z-Wave A wireless protocol commonly used in residential and commercial building automation and communication.