Security Glossary

A set of practices and controls designed to protect application programming interfaces (APIs) from unauthorized access, misuse, and attacks. APIs directly expose business logic and data, making them high-value targets; common vulnerabilities include broken object-level authorization, mass assignment, and excessive data exposure. Automated penetration testing tools increasingly focus on API-specific attack patterns as API-first architectures become the norm.

The sum of all potential entry points where an unauthorized user could attempt to enter, extract data from, or disrupt a system — including exposed network ports, APIs, web interfaces, authentication endpoints, third-party integrations, and human-facing channels such as email. Minimizing the attack surface by disabling unused features, enforcing least-privilege access, and removing unnecessary dependencies is a foundational security hardening principle.

The process of verifying the identity of a user, device, or system before granting access to a resource. Strong authentication mechanisms — including multi-factor authentication (MFA), hardware tokens, and certificate-based authentication — are the first line of defense against unauthorized access. Broken or weak authentication remains one of the most commonly exploited vulnerability classes in web applications and APIs.

The process of determining what actions and resources a verified identity is permitted to access or modify. Unlike authentication (which verifies who you are), authorization defines what you are allowed to do. Failures in authorization — including privilege escalation, IDOR, and missing function-level access control — are among the most impactful and frequently discovered application security vulnerabilities.

The defensive security team responsible for protecting an organization's assets, detecting attacks in progress, and responding to security incidents. Blue teams operate continuously, monitoring systems, analyzing threat intelligence, and tuning security controls. In purple team exercises, the blue team works alongside red team attackers to improve detection and response capabilities in real time.

A class of vulnerabilities that allows attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities. Common examples include weak password policies, susceptibility to credential stuffing, insecure session management, and improperly protected password reset flows. It consistently ranks among the OWASP Top 10 most critical web application security risks.

A crowdsourced security program that offers financial rewards to independent security researchers who responsibly disclose vulnerabilities in a product or service. Bug bounty programs complement internal testing and automated scanning by drawing on a diverse global pool of researchers with varied expertise. Major platforms such as HackerOne and Bugcrowd facilitate structured programs with defined scope, severity tiers, and payout ranges.

The practice of integrating automated security testing and policy enforcement directly into software build and deployment pipelines. Security gates within CI/CD pipelines can block deployments that introduce new vulnerabilities, enforce dependency hygiene, and verify infrastructure-as-code configurations. This approach ensures security is validated continuously rather than as a periodic manual audit, enabling teams to ship fast without sacrificing security posture.

A public catalog of disclosed security vulnerabilities, each assigned a unique identifier in the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell). Maintained by MITRE and funded by the US government, CVE identifiers provide a standardized reference for discussing, tracking, and remediating specific vulnerabilities across vendors, tools, and security advisories. All CVE entries are publicly searchable via the National Vulnerability Database (NVD).

An attack that tricks an authenticated user's browser into submitting an unauthorized request to a web application where the user is currently logged in. Because the request originates from the legitimate user's browser, it carries valid session credentials, allowing the attacker to perform state-changing actions — such as fund transfers, email changes, or account deletions — without the victim's knowledge. CSRF is mitigated by anti-forgery tokens and the SameSite cookie attribute.

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Stored XSS persists the payload in the application's database; reflected XSS delivers it via a crafted URL; DOM-based XSS manipulates client-side JavaScript. Successful XSS attacks can steal session cookies, capture keystrokes, redirect users to phishing pages, or silently perform actions on behalf of victims.

A standardized numerical score from 0 to 10 that rates the severity of a security vulnerability based on its exploitability and potential impact. CVSS considers factors including attack vector, complexity, required privileges, user interaction, and the degree of impact on confidentiality, integrity, and availability. Scores map to severity bands: None (0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0).

A security strategy that layers multiple independent controls so that the failure of any single control does not result in a complete breach. The principle assumes no single technology or process is infallible, and combines preventive controls (firewalls, input validation), detective controls (SIEM, IDS), and corrective controls (incident response, backups) across people, processes, and technology. Defense in depth is a foundational concept in both network and application security architecture.

A cultural and technical philosophy that integrates security practices throughout every phase of the software development lifecycle, rather than treating security as a separate, end-stage review. DevSecOps shifts security left — empowering developers to identify and fix vulnerabilities during development — through automated tooling, shared security ownership, and continuous feedback loops. It is a direct evolution of DevOps principles applied to the security domain.

A black-box security testing technique that analyzes a running application from the outside by sending malicious inputs and observing its responses, without access to source code. DAST tools simulate real-world attacks against live systems, identifying vulnerabilities that only manifest at runtime — such as injection flaws, authentication weaknesses, and server misconfigurations. DAST complements SAST by finding issues that static analysis cannot detect.

The authorized practice of using offensive attack techniques against a system to identify security weaknesses before malicious actors can exploit them. Ethical hackers — also called white-hat hackers or penetration testers — operate under a formal agreement that defines scope, rules of engagement, and explicit legal authorization. The term encompasses penetration testing, red teaming, vulnerability research, and bug bounty hunting.

A piece of software, command sequence, or technique that leverages a known vulnerability to cause unintended or unauthorized behavior in a target system. Exploits range from proof-of-concept code that demonstrates a vulnerability is genuine and exploitable, to fully weaponized tools enabling persistent access, lateral movement, or data exfiltration. In penetration testing, demonstrating a working exploit proves real business risk rather than theoretical exposure.

A network security control that monitors and filters traffic between networks based on predefined security rules. Traditional firewalls operate at the network and transport layers, enforcing rules by IP address and port; next-generation firewalls (NGFW) add application-layer inspection, user identity awareness, and threat intelligence integration. Firewalls are a necessary but insufficient control — they provide no protection against application-layer attacks on permitted traffic.

A vulnerability that occurs when an application exposes an internal implementation object — such as a database record ID, filename, or account number — without verifying that the requesting user is authorized to access it. By guessing or incrementing object references in API calls or URL parameters, attackers can read, modify, or delete other users' data. IDOR is one of the most prevalent and impactful vulnerabilities in modern web applications and REST APIs.

A monitoring system that analyzes network traffic or host activity for signs of malicious behavior and generates alerts when suspicious patterns are detected. Network-based IDS (NIDS) monitors traffic across a network segment; host-based IDS (HIDS) monitors activity on individual endpoints. Unlike an IPS, an IDS is passive — it detects and reports threats but does not block them, making it a detective rather than a preventive control.

A compact, self-contained token format used to transmit claims between parties as a digitally signed JSON object, widely used for API authentication and single sign-on flows. JWT vulnerabilities — including acceptance of the "none" algorithm, weak HMAC signing secrets, missing signature validation, and algorithm confusion attacks — frequently allow attackers to forge tokens and impersonate any user. Secure JWT implementations use asymmetric algorithms such as RS256 or ES256 and validate all claims on every request.

An authentication mechanism that requires users to present two or more independent verification factors before access is granted: something you know (password), something you have (hardware token or authenticator app), or something you are (biometric). MFA is one of the most effective single controls against account compromise, blocking over 99% of automated credential-stuffing and phishing attacks. Penetration tests routinely assess MFA implementations for bypass vulnerabilities such as OTP interception and SIM swapping.

An authorization framework that allows applications to obtain limited delegated access to user accounts on third-party services without requiring users to share their passwords. OAuth 2.0 underpins most modern single sign-on and API authorization flows. Common OAuth vulnerabilities — including open redirect exploitation, missing state parameter validation, authorization code interception, and token leakage via referrer headers — are a frequent focus of web application security assessments.

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP). The list is informed by data contributed by hundreds of organizations covering millions of real-world applications and is widely referenced in regulatory frameworks, secure coding standards, and developer training programs. The current edition (2021) covers risks such as broken access control, cryptographic failures, injection, and insecure design.

The component of an attack that performs the attacker's intended malicious action after a vulnerability has been triggered. In web security testing, a payload might be a JavaScript snippet injected through an XSS vulnerability, a SQL statement that exfiltrates database records, an OS command appended to a system call, or a serialized object that triggers code execution upon deserialization. Crafting effective payloads that evade filters while achieving exploitation is a core penetration testing skill.

A structured, authorized simulation of a real-world cyberattack against a system, network, or application with the goal of identifying exploitable vulnerabilities before malicious actors do. Unlike automated vulnerability scanning, penetration testing involves active exploitation attempts — whether human-driven or AI-driven — to determine the actual business impact of each finding. Engagements typically follow a defined methodology: reconnaissance, scanning, exploitation, post-exploitation, and reporting.

The process of exploiting a vulnerability or misconfiguration to gain a higher level of access than was originally authorized. Vertical escalation involves gaining elevated permissions such as administrator or root access; horizontal escalation involves accessing resources belonging to another user at the same privilege level. Privilege escalation is a critical post-exploitation step in penetration testing that demonstrates the full potential blast radius of an initial security foothold.

A collaborative security exercise in which red team (offensive) and blue team (defensive) practitioners work together in real time to simulate attacks and immediately measure detection and response quality. Rather than red team operating covertly for weeks, purple teaming creates shared visibility so that each offensive action directly informs defensive rule tuning. This approach accelerates improvements to detection logic, alert thresholds, and incident response playbooks.

A group of security professionals who simulate sophisticated, persistent adversaries to test an organization's ability to detect and respond to real-world attacks. Red team engagements are typically longer (weeks to months), goal-oriented (e.g., exfiltrate sensitive data or deploy a simulated ransomware payload), and operate with minimal advance notice to defenders. Red teaming differs from penetration testing in its focus on adversarial simulation and detection measurement rather than comprehensive vulnerability discovery.

A critical vulnerability class that allows an attacker to execute arbitrary commands or code on a target system from a remote location, typically without requiring physical access or prior authentication. RCE is the highest-severity finding in most penetration tests because it grants the attacker full control over the compromised system. Common RCE vectors include deserialization vulnerabilities, command injection, template injection, and exploitation of unpatched server-side software.

A type of remote shell session where the compromised target machine initiates an outbound network connection back to the attacker's system, circumventing inbound firewall rules that would block a traditional bind shell. Reverse shells are a standard post-exploitation technique in penetration testing used to demonstrate interactive command-line access to a compromised host. Their presence confirms that an attacker could achieve persistent, interactive control of the system.

A platform that aggregates, normalizes, and correlates security event data from across an organization's infrastructure to support threat detection, incident investigation, and compliance reporting. SIEMs apply detection rules and behavioral analytics to identify attacks in progress and provide the audit trail needed for incident forensics and regulatory requirements. Modern SIEMs increasingly incorporate user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR) capabilities.

The most prevalent web application vulnerability class, arising from incorrectly configured cloud services, application frameworks, databases, web servers, or network infrastructure. Common examples include default credentials left unchanged, overly permissive S3 bucket policies, unnecessary features enabled, verbose error messages exposing stack traces, and missing HTTP security headers. Security misconfiguration topped the OWASP Top 10 in 2021 and is frequently the easiest vulnerability to discover and exploit in a penetration test.

A vulnerability that allows an attacker to induce a server to make HTTP requests to arbitrary internal or external destinations on their behalf, bypassing network segmentation and firewall controls. SSRF is particularly dangerous in cloud environments where it can be leveraged to reach instance metadata services and retrieve temporary credentials for full account takeover. It is a common finding in applications that fetch remote URLs, process webhooks, or retrieve content from user-supplied addresses.

The use of psychological manipulation to deceive individuals into divulging confidential information, performing actions, or bypassing security controls — without exploiting any technical vulnerability. Phishing (email), vishing (voice calls), smishing (SMS), and pretexting are the most common techniques. Social engineering attacks bypass technical controls entirely by exploiting human trust, authority, and urgency, making security awareness training and phishing simulation programs essential countermeasures.

An injection attack where malicious SQL statements are inserted into application input fields that are passed unsanitized to a database query, allowing attackers to manipulate query logic. Successful SQL injection can expose sensitive data, bypass authentication, modify or delete records, and in some configurations execute operating system commands. Despite being one of the oldest known web vulnerabilities, SQL injection remains widespread and consistently appears in the OWASP Top 10.

A white-box security testing approach that analyzes application source code, bytecode, or compiled binaries for vulnerability patterns without executing the program. SAST tools integrate into IDEs and CI/CD pipelines to give developers fast feedback on issues such as hardcoded credentials, SQL string concatenation, and insecure API usage. SAST produces higher false-positive rates than DAST and cannot detect runtime vulnerabilities, making it most effective when combined with dynamic testing and manual review.

A structured process for systematically identifying, prioritizing, and planning mitigations for potential security threats to a system, ideally conducted during the design phase before code is written. The STRIDE framework categorizes threats as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Threat modeling answers four questions: what are we building, what can go wrong, what should we do about it, and did we address it adequately.

A systematic process of identifying, classifying, and prioritizing security weaknesses in a system without attempting to exploit them. Unlike penetration testing, vulnerability assessments rely primarily on automated scanners to produce a broad inventory of potential risks ranked by severity. They are typically faster, lower-cost, and less disruptive than penetration tests, and serve as a starting point for remediation planning rather than proof of exploitability.

A security control that monitors, filters, and blocks HTTP/HTTPS traffic between clients and a web application based on rule sets designed to detect common attack patterns. WAFs can mitigate attacks such as SQL injection, XSS, and CSRF, and are often deployed in front of public-facing applications as an additional protective layer. WAFs are not a substitute for secure application code and can frequently be bypassed by attackers using obfuscation, encoding variations, or logic-based techniques.

A vulnerability in applications that parse XML input with a misconfigured parser that allows the processing of external entity references embedded in the document. XXE attacks can read arbitrary files from the server filesystem, trigger server-side request forgery, enumerate internal network services, and in some cases achieve remote code execution via error-based exfiltration. XXE is prevented by disabling external entity processing in XML parsers and using safer serialization formats such as JSON where XML is not required.

A security model built on the principle that no user, device, or network segment should be implicitly trusted — even those already inside a traditional network perimeter. Zero trust enforces continuous verification of identity, device health, and least-privilege access for every request, replacing the outdated "castle and moat" perimeter model. The framework is increasingly mandated by government security standards such as the US Executive Order on Improving the Nation's Cybersecurity.

A software vulnerability that has been discovered but not yet publicly disclosed or patched by the vendor, leaving affected systems with no available fix at the time it is known or exploited. Zero-day vulnerabilities are extremely valuable in offensive operations because defenders have no warning and traditional signature-based defenses cannot detect their exploitation. Researchers who discover zero-days may responsibly disclose them to vendors under coordinated disclosure programs, or sell them to government agencies and exploit brokers.