The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
TermDefinitionSee Also
Abuse CaseA scenario used to define cases that can cause software to be abused in malicious ways.
Access Control List (ACL)A set of permissions applied to an object.
Access Controller (Java)The component (or class) responsible, within Java’s code-centric security model, for making access control decisions.
Activity (Google Android)An application component that provides a screen with which users can interact with in order to perform an action.
Address Space Layout Randomization (ASLR)
Adobe® Flash®A multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games, and movies for broadcast.
Advanced Encryption Standard (AES)A U.S. National Institute of Standards and Technology (NIST) [[Glossary: Encryption]encryption] specification developed by Joan Daemen and Vincent Rijmen for the encryption of electronic data.Encryption
Advisory File Locking (Unix)A locking mode where the entity locking the resource merely notifies other entities of the locking; requires cooperation from other entities.
Agile Software DevelopmentA group of software development methodologies promoting the creation of requirements and associated solutions via an iterative workflow and active collaboration between self-organizing and cross-functional units within the project team. Agile methodologies are opposed to the waterfall-types of approaches in the sense that their flow is incremental, adaptive, and highly iterative.
American Standard Code for Information Interchange (ASCII)
A 128-character encoding scheme commonly used to represent text in computer programs.
Ant UtilityA software tool for automating software build processes. It is implemented using the Java language, requires the Java platform, and is best suited to building Java projects. Ant uses XML to describe the build process and its dependencies.
Anti-debuggingA set of techniques designed to hinder attempts at reverse engineering or [[Glossary: Debugging]debugging] a target process.Debugging
Anti-piracyA set of measures designed to defend against copyright infringement, counterfeiting, and other violations of intellectual property laws.
Apache StrutsAn open-source web application framework for developing [[Glossary: Java Enterprise Edition (EE)]Java Enterprise Edition (EE)] applications; encourages developers to adopt a [[Glossary: Model-View-Controller (MVC)]Model–View–Controller] architecture.Java Enterprise Edition (EE), Model-View-Controller (MVC)
Apple iCloudA [[Glossary: Cloud Computing]cloud service] that Apple provides to manage content for their devices.Cloud Computing
Apple iOSA mobile operating system developed by Apple Inc. for the [[Glossary: iPhone]iPhone], [[Glossary: iPod]iPod] Touch, and [[Glossary:iPad]iPad] devices.iPhone, iPod, iPad
Apple Property List EditorAn Apple application used to edit [[Glossary: Property List File (.plist)]property list files].Property List File (.plist)
Apple Push Notification Services (APNS)An Apple service that can be used to send notifications to applications installed on Apple mobile devices.
Applet (Java)A small Java application that can be launched from a web page loaded within a browser.
Application BackgroundingThe process of managing a mobile application's resources and state as it is removed from the foreground of a device's screen.
Application Bundle (Apple iOS)A hierarchical directory that contains an application executable along with the required resources for that application.
Application FrameworkA software framework used to implement the standard structure of an application for a particular target environment such as a specific operating system or the Web.
Application Framework (Google Android)A set of built-in APIs that can be used to create Android applications, which supports basic functions such as resource management, voice call management, etc.
Application ManifestA file, generally XML-based, that defines the structure of an application along with a list of resources contained in the application and other metadata.
Application Programming Interface (API)A set of functions, objects, and protocols used for building software applications.
Application Token (Google Android)An identifier assigned to GUI windows used to associate them with [[Glossary: Activity (Google Android)]Android activities].Activity (Google Android)
Arbitrary-precision ArithmeticAn approach to performing calculations on numbers whose digits of precision are limited only by the available memory of the host system.
Architecture Risk Analysis (ARA)An approach for performing [[Glossary: Threat Modeling]Threat Modeling].Threat Modeling
Architecture/Design FlawA software defect that is caused by an error in the software's architecture or design.
Aspect-oriented Programming (AOP)A programming paradigm aimed at increasing modularity by allowing the separation of [[Glossary: Cross-cutting Concern]cross-cutting concerns].Cross-cutting Concern
AssetIn the context of general security, an asset is a resource that is valuable and needs to be protected by an organization or system. In software security, an asset can be either a [[Glossary: Data Asset]data asset] or a [[Glossary: Functional Asset]functional asset].Data Asset, Functional Asset
Asymmetric EncryptionA type of encryption where data is encrypted and decrypted using different keys.
Asynchronous JavaScript and XML (AJAX)A group of interrelated client-side web development techniques used to create asynchronous web applications. Using AJAX, the client can send data to and retrieve data from a server (in the background) without entirely reloading pages.
AtomicityThe property of a set of tasks that are carried out as one single, indivisible operation.
Attack PatternA common method for [[Glossary: Exploit]exploiting] software.Exploit
Attack SurfaceThe set of all possible inputs and outputs that can be used by [[Glossary: Threat Agent]threat agents] to attack a system.Threat Agent
Attack TreeA top-down approach for decomposing risks into detailed attacks in order to visualize the set of all possible scenarios enabling a given risk to be realized.
Attack VectorA path or means by which an attacker can exploit a vulnerability in a given piece of software.
AuditingThe action of reviewing security logs to detect any suspicious activity performed on a given system.
AuthenticationThe process of verifying an entity's claimed identity.
Authentication TokenA piece of information given to a [[Glossary: Security Principal]principal] after successful authentication that acts as proof of authentication.Security Principal
AuthenticityThe assurance that a message, object, transaction, or other exchange of information is, in fact, from the source it claims to be from.
Automated Build ProcessAn automated process that compiles, deploys, and runs verification tests against the latest source code of a project at regular, predetermined time intervals.
Automatic Memory ManagementA set of programming language and runtime environment features that relieve developers of the burden of managing (e.g., allocating and deallocating) memory themselves.
Automatic Reference Counting (ARC)A compiler feature that keeps track of object reference count on behalf of the programmer.
BackdoorA covert, undocumented channel that gives access to a computer system or program.
Base DomainA domain definition that stands alone. Other domains may be defined as subsets of a base domain (e.g., is a subset of the base domain).
Base64 EncodingA group of encoding schemes that represent binary data in an [[Glossary: American Standard Code for Information Interchange (ASCII)]ASCII] string format.
American Standard Code for Information Interchange (ASCII)
Basic AuthenticationA method of performing [[Glossary: Authentication]authentication] over [[Glossary: Hypertext Transfer Protocol (HTTP)]HTTP] communication using a simple username and password. Typically used over [[Glossary: Hypertext Transport Protocol Secure (HTTPS)]HTTPS] connections since the method provides no confidentiality for the credentials being transmitted.
Authentication, Hypertext Transfer Protocol (HTTP), Hypertext Transport Protocol Secure (HTTPS)
bcryptA key derivation function for passwords; which incorporates salts to protect against rainbow table attacks. It also remains resistant ot brute-force attack
Bitwise ANDA binary operation that performs a logical AND on each bit of the first operand to the corresponding bit of the second operand.
Bitwise NOTA unary operation that changes all the ones in the number to zeros and all of the zeros to ones.
Bitwise ORA binary operation that performs a logical OR on each bit of the first operand to the corresponding bit of the second operand.
Bitwise ShiftA binary operation that shifts the bits of the first operand either to the [[Glossary: Right Shift]right] or to the [[Glossary: Left Shift]left], by the number of bits specified in the second operand.Right Shift, Left Shift
Black-listingAn input validation approach that consists of rejecting input based on the presence of known bad characters.
Block CipherA class of [[Glossary: Symmetric Encryption]symmetric encryption] algorithms operating on fixed-length groups of bits called blocks.Symmetric Encryption
Block Cipher ModeAn algorithm that specifies how a [[Glossary: Block Cipher]block cipher] operates on fixed-size groups of bits, called blocks, of the plain text.Block Cipher
Blocking Pseudo-random Number GeneratorA [[Glossary: Pseudo-random Number Generator (PRNG)]pseudo-random number generator] that stops producing an output as long as its source of [[Glossary: Entropy]entropy] is exhausted.Pseudo-random Number Generator (PRNG), Entropy
BlueprintsA type of paper-based reproduction especially used for technical drawings, architecture plans, or some kind of engineering design specification.
Boot LoaderA piece of code that is executed to load the operating system or runtime environment after a computing device performs a series of self tests.
BotnetA collection of internet-connected computers, known as bots, whose security defenses have been breached and are controlled by an attacker.
Broadcast Intent (Google Android)A mechanism for broadcasting system-wide messages to other components of an Android system.
Brute-force AttackAn attack aimed at guessing the value of cryptographic or authentication credentials by performing an automated exhaustive search for all possible values until the correct value is found.
Buffer OverflowA programming error that affects software written in native programming languages and that may result in unauthorized memory access.
Buffer UnderflowA programming error that occurs when trying to write data to a buffer using an index that references a location prior to the buffer's start.
BugAn implementation-level software defect that exists in source code.
Bug TriageThe process of analyzing bugs or findings with the intent of prioritizing them.
BytecodeA form of instructions executed by the Java virtual machine, consisting of single-byte [[Glossary: opcodes]opcodes] and their parameters that form multi-byte instructions.opcodes
C++11 StandardA version of the C++ standard approved by ISO on 12 August 2011, replacing C++03.
C++14 StandardAn extension of the C++11 standard, approved by the ISO in 2014.
CacheA temporary storage location used to hold frequently accessed data for faster retrieval.
Callback FunctionA piece of executable code that is passed as an argument to other code, which is expected to invoke the callback at some other time.
Cascading Style Sheet (CSS)A standard used for describing the look and formatting of documents written in a markup language such as [[Glossary: Hypertext Markup Language (HTML)]HTML] or [[Glossary: Extended Hypertext Markup Language (XHTML)]XHTML].
Hypertext Markup Language (HTML), Extensible Hypertext Markup Language (XHTML)
Certificate Authority (CA)An entity that issues [[Glossary: Digital Certificate]digital certificates] and subsequently serves as a trusted third party to verify the validity of the issued certificates.Digital Certificate
Certificate PinningThe process of explicitly trusting [[Glossary: Digital Certificate]digital certificates] or public keys to prevent [[Glossary: Man-in-the-Middle (MitM) Attack]MitM] attacks related to the certificate chain validation process.Digital Certificate, Man-in-the-Middle (MitM) Attack
Channel SecurityA set of security properties (e.g., confidentiality, integrity, and authentication) maintained through the use of specific controls between the two end-points of a given communication channel.
Checked Iterators (C++)A safeguard used to prevent memory corruption vulnerabilities caused by off-by-one errors and iterator invalidation.
Cipher TextInformation after [[Glossary: Encryption]encryption].Encryption
Cipher-block Chaining (CBC)A [[Glossary: Block Cipher]block cipher] algorithm in which each block of plain text is [[Glossary: Exclusive OR (XOR)]XORed] with the previous [[Glossary: Cipher Text]cipher text] block before being encrypted. Block Cipher, Exclusive OR (XOR), Cipher Text
Class InheritanceA mechanism to reuse code of existing objects, or to establish a subtype from an existing object, or both, depending on programming language support.
Class Variable (Java)A variable in a class that is common to all instances of that class; also known as "static variable" as result of the modifier used in the declaration.
Classpath (Java)A parameter set either on the command-line, or through an environment variable that informs the Java Virtual Machine or the Java compiler on how to locate user-defined classes and packages.
Cleanup CodeThe logic that reverts a program to a consistent state after it has performed operations that altered its default security posture.
Clear textInformation prior to encryption or after decryption.
ClickjackingA deceptive technique that consists of tricking a victim user into clicking something different than what she thinks she is clicking, causing the victim to perform a sensitive operation on behalf of the attacker.
Client-server ArchitectureA model where functionality is divided between the providers of a resource or service, called servers, and service requesters, called clients. Clients and servers often communicate over a computer network using a specific protocol.
Cloud ComputingA model for enabling on-demand network and computing capabilities via a pool of shared configurable resources. These include networks, storage appliances, software applications, and services.
Code Division Multiple Access (CDMA)A channel access method used by radio communication technologies, such as mobile phones, that allows several devices to share a band of frequencies.
Code ObfuscationThe deliberate act of making source code or machine code difficult to understand by humans to prevent the understanding of its logic or to prevent tampering.
Code SigningThe process of digitally signing an executable to provide tamper-detection and authenticity services against malware.
Command injectionAn [[Glossary: Injection Attack]injection attack] in which the goal is execution of arbitrary commands on the host operating system via a vulnerable applicationInjection Attack
Common Gateway Interface (CGI)A standard method for web-server software to delegate the generation of web content to executable files.
Common Intermediate Language (CIL)A CPU-independent and platform-independent instruction set that can be executed in any environment supporting the [[Glossary: Common Language Infrastructure (CLI)]Common Language Infrastructure (CLI)].Common Language Infrastructure (CLI)
Common Language Infrastructure (CLI)An open specification developed by Microsoft that describes the executable code and runtime environment allowing multiple high-level languages to be used on different computer platforms without being rewritten for specific architectures.
Common Language Runtime (CLR)The virtual machine component of Microsoft's .NET framework.
Common Weakness Enumeration (CWE)A taxonomy of software weaknesses and vulnerabilities maintained by a software community project.
CommonCrypto (Apple)A library of functions supporting various encryption standards that is supported by hardware acceleration on Apple iOS devices (starting from iOS v5).
Community CloudA cloud deployment model where the cloud infrastructure is shared among various entities that have common concerns.
CompartmentalizationA design principle that prescribes the segregation of components of an architecture so as to contain the extent of a successful attack against one of these components.