Security Glossary

A set of practices and controls designed to protect application programming interfaces (APIs) from unauthorized access, misuse, and attacks.

The sum of all potential entry points where an unauthorized user could attempt to enter, extract data from, or disrupt a system — including exposed network ports, APIs, web interfaces, authentication endpoints, third-party integrations, and human-facing channels such as email.

The process of verifying the identity of a user, device, or system before granting access to a resource.

The process of determining what actions and resources a verified identity is permitted to access or modify.

The defensive security team responsible for protecting an organization's assets, detecting attacks in progress, and responding to security incidents.

A class of vulnerabilities that allows attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.

A crowdsourced security program that offers financial rewards to independent security researchers who responsibly disclose vulnerabilities in a product or service.

The practice of integrating automated security testing and policy enforcement directly into software build and deployment pipelines.

A public catalog of disclosed security vulnerabilities, each assigned a unique identifier in the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell).

An attack that tricks an authenticated user's browser into submitting an unauthorized request to a web application where the user is currently logged in.

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

A standardized numerical score from 0 to 10 that rates the severity of a security vulnerability based on its exploitability and potential impact.

A security strategy that layers multiple independent controls so that the failure of any single control does not result in a complete breach.

A cultural and technical philosophy that integrates security practices throughout every phase of the software development lifecycle, rather than treating security as a separate, end-stage review.

A black-box security testing technique that analyzes a running application from the outside by sending malicious inputs and observing its responses, without access to source code.

The authorized practice of using offensive attack techniques against a system to identify security weaknesses before malicious actors can exploit them.

A piece of software, command sequence, or technique that leverages a known vulnerability to cause unintended or unauthorized behavior in a target system.

A network security control that monitors and filters traffic between networks based on predefined security rules.

A vulnerability that occurs when an application exposes an internal implementation object — such as a database record ID, filename, or account number — without verifying that the requesting user is authorized to access it.

A monitoring system that analyzes network traffic or host activity for signs of malicious behavior and generates alerts when suspicious patterns are detected.

A compact, self-contained token format used to transmit claims between parties as a digitally signed JSON object, widely used for API authentication and single sign-on flows.

An authentication mechanism that requires users to present two or more independent verification factors before access is granted: something you know (password), something you have (hardware token or authenticator app), or something you are (biometric).

An authorization framework that allows applications to obtain limited delegated access to user accounts on third-party services without requiring users to share their passwords.

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

The component of an attack that performs the attacker's intended malicious action after a vulnerability has been triggered.

A structured, authorized simulation of a real-world cyberattack against a system, network, or application with the goal of identifying exploitable vulnerabilities before malicious actors do.

The process of exploiting a vulnerability or misconfiguration to gain a higher level of access than was originally authorized.

A collaborative security exercise in which red team (offensive) and blue team (defensive) practitioners work together in real time to simulate attacks and immediately measure detection and response quality.

A group of security professionals who simulate sophisticated, persistent adversaries to test an organization's ability to detect and respond to real-world attacks.

A critical vulnerability class that allows an attacker to execute arbitrary commands or code on a target system from a remote location, typically without requiring physical access or prior authentication.

A type of remote shell session where the compromised target machine initiates an outbound network connection back to the attacker's system, circumventing inbound firewall rules that would block a traditional bind shell.

A platform that aggregates, normalizes, and correlates security event data from across an organization's infrastructure to support threat detection, incident investigation, and compliance reporting.

The most prevalent web application vulnerability class, arising from incorrectly configured cloud services, application frameworks, databases, web servers, or network infrastructure.

A vulnerability that allows an attacker to induce a server to make HTTP requests to arbitrary internal or external destinations on their behalf, bypassing network segmentation and firewall controls.

The use of psychological manipulation to deceive individuals into divulging confidential information, performing actions, or bypassing security controls — without exploiting any technical vulnerability.

An injection attack where malicious SQL statements are inserted into application input fields that are passed unsanitized to a database query, allowing attackers to manipulate query logic.

A white-box security testing approach that analyzes application source code, bytecode, or compiled binaries for vulnerability patterns without executing the program.

A structured process for systematically identifying, prioritizing, and planning mitigations for potential security threats to a system, ideally conducted during the design phase before code is written.

A systematic process of identifying, classifying, and prioritizing security weaknesses in a system without attempting to exploit them.

A security control that monitors, filters, and blocks HTTP/HTTPS traffic between clients and a web application based on rule sets designed to detect common attack patterns.

A vulnerability in applications that parse XML input with a misconfigured parser that allows the processing of external entity references embedded in the document.

A security model built on the principle that no user, device, or network segment should be implicitly trusted — even those already inside a traditional network perimeter.

A software vulnerability that has been discovered but not yet publicly disclosed or patched by the vendor, leaving affected systems with no available fix at the time it is known or exploited.