Terminology that is specific to software security may seem straightforward, but nuances are important to get right. I have evolved the following security-specific meanings of terms based on my experience across multiple companies and many diverse projects, and while these definitions are generally accepted, don’t be surprised if you find diversity in the terminology used in the wild. If you pay close attention, you’ll notice that security specialists define and use the same terms in slightly different ways, bringing their own unique perspectives to the foundational precepts of the field. Expect to hear many variations, because there is no accepted standard vocabulary; usually, however, these variations are easy to deduce in context.

Affected users

An assessment of the proportion of users potentially impacted by the exploitation of a specific vulnerability. (Component of DREAD)

Allowlist

An enumeration of safe values that should be allowed. (Cf. Blocklist)

Assessment report

The written results of a security design review (SDR), consisting of a ranked summary of findings and recommendations, including specific design changes and strategies to improve security.

Asset

Valuable data or resources, especially likely targets of attack, to be protected.

Asymmetric encryption

Data encryption with separate keys for encryption (public key) and decryption (private key). (Cf. Symmetric encryption)

Attack

Action taken in an attempt to violate security.

Attacker

A malicious agent working to violate the security of a system. (Also known as Threat actor)

Attack surface

The aggregate of all potential points of entry to a system for attack.

Attack vector

A sequence of steps forming a complete attack, starting from the attack surface and culminating in access to an asset.

Auditing

Maintaining a reliable record of actions by principals, for regular inspection, to detect suspicious behavior indicative of improper activity. (Component of the Gold Standard)

Authentication (authN)

High-assurance determination of the identity of a principal. (Component of the Gold Standard)

Authenticity

Assurance that data is genuine, a stronger claim than data integrity.

Authorization (authZ)

Security policy controls ensuring that privileged access is restricted to certain authenticated principals. (Component of the Gold Standard)

Availability

Assurance that data access is always available to authorized principals; in other words, that the system avoids significant delays or outages hindering legitimate access. (Component of C-I-A)

Backtracking

Behavior of algorithms, such as regular expression matching, where progress may advance and regress, exponentially repeating. Potential security issues result when backtracking incurs excessive computation that degrades availability.

Block cipher

A symmetric encryption algorithm that processes fixed-length blocks of data, as opposed to a bitstream.

Blocklist

An enumeration of unsafe values that should be disallowed. Not generally recommended because, unless exhaustive, there is risk of vulnerability. (Cf. Allowlist)

Bottleneck

A single point in the code execution path that guards all access to a specific asset. Bottlenecks are important for security because they ensure that uniform authorization checks happen for all accesses.

Buffer overflow

A class of vulnerabilities involving invalid access outside the bounds of allocated memory.

Certificate authority (CA)

An issuer of digital certificates.

Chokepoint

See Bottleneck.

Chosen plaintext attack

Analysis of encryption where the attacker is able to learn the ciphertext for a plaintext of their choice, and thereby weaken the encryption.

C-I-A

The fundamental information security model. (See Confidentiality, Integrity, and Availability)

Ciphertext

The encrypted form of a message that is meaningless without the key. (Cf. Plaintext)

Code Access Security (CAS)

A security model that dynamically adjusts authorization according to the privileges of all callers to mitigate Confused Deputy vulnerabilities.

Collision

When two different inputs produce the same message digest value.

Collision attack

An attack that uses a known collision to subvert authenticity relying on the uniqueness of cryptographic message digest values.

Command injection

A vulnerability allowing malicious inputs to result in running arbitrary commands controlled by an attacker.

Confidentiality

The fundamental information security property of enforcing only authorized access to data. (Component of C-I-A)

Confused Deputy

A vulnerable pattern where an unauthorized agent can trick an authorized agent or code to perform a harmful action on the former’s behalf.

Credentials

Evidence of identity, attributes, or authority, as a basis for authentication.

Cross-site request forgery (CSRF or XSRF)

An attack that modifies web server state, typically using a POST request with the victim client’s cookies context.

Cross-site scripting (XSS)

A web-specific injection attack where malicious input alters the behavior of a website, typically resulting in running unauthorized script.

Cryptography

The mathematical art of reversibly transforming data so as to conceal it.

Cryptographically secure pseudo-random number generator (CSPRNG)

A source of random numbers considered unpredictable enough that guessing is infeasible, which is thus suitable for cryptography. (Cf. Pseudo-random number generator)

Damage potential

An assessment of how much harm can be done by exploiting a specific vulnerability. (Component of DREAD)

Deanonymization

Analysis of supposedly anonymous data that infers identifying traits to compromise the degree of anonymity.

Decryption

The process of transforming a ciphertext back into the original plaintext message.

Denial of service (DoS)

An attack that consumes computing resources in order to degrade availability. (Also a component of STRIDE)

Dependency

A software library or other component of a system that software requires in order to operate.

Dialog fatigue

The human response to repetitive or uninformative software dialogs, often leading to reflexive responses to get past the dialog in order to accomplish a goal. The security impact occurs when users fail to understand or consider the security consequences of their actions.

Digest

A unique numerical value of fixed size computed from an arbitrarily large data input. Different digest values guarantee the inputs are different, but collisions are possible. (Also known as Hash)

Digital certificate

A digitally signed statement asserting a specific claim by the signer. Common digital certificate standards include TLS/SSL secure communications (both for the server and the client side), code signing, email signing, and certificate authorities (root, intermediate, leaf).

Digital signature

A computation demonstrating knowledge of a private key, proving the authenticity of the signer.

Discoverability

An assessment of how easily the existence of a specific vulnerability could be learned by a would-be attacker. (Component of DREAD)

Distributed denial-of-service attacks (DDoS)

Coordinated denial-of-service attacks, typically orchestrated using a large herd of bots.

DREAD

An acronym for a five-component system used to assess a vulnerability to gauge its severity. (See Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability)

Electronic code book (ECB) mode

A block cipher encryption mode where each block is encrypted independently. Since identical blocks result in identical outputs, ECB is weak and usually not recommended.

Elevation of privilege

Any means by which an agent acquires increased privileges, especially when an attacker exploits a vulnerability. (Component of STRIDE)

Encryption

An algorithm transforming plaintext into ciphertext to secretly convey a message.

Entropy source

A source of random input that generates an unpredictable bitstream.

Exploit

The recipe for a working attack that violates security, causing harm.

Exploitability

An assessment of how easy it is to exploit a specific vulnerability. Often this is a subjective guess due to many unknowns. (Component of DREAD)

Fact of communication

Knowledge of whether or not two communicants exchanged information, such as by an eavesdropper observing encrypted messages they cannot decipher.

Flaw

A bug that might or might not be a vulnerability, either in design or implementation.

Footgun

A software feature that makes it easy to introduce a bug, especially a vulnerability.

Fuzz testing

Automated brute-force testing with arbitrary inputs to discover software flaws.

Gold Standard

A nickname for the three basic security enforcement mechanisms. (See Auditing, Authentication, and Authorization)

Guard

An authorization enforcement mechanism in software that controls access to a resource.

Hardware random number generator (HRNG)

A hardware device designed to produce highly random data efficiently. (See Cryptographically secure pseudo-random number generator)

Hash

See Digest.

Hash message authentication code (HMAC)

A class of message digest functions where each key value determines a unique message digest function.

Incident

A specific instance of a security attack.

Information disclosure

An unauthorized information leak. (Component of STRIDE)

Injection attack

A security attack that uses malicious input to exploit a vulnerability where part of the input is interpreted in an unexpected manner. Common forms include SQL injection, cross-site scripting, command injection, and path traversal.

Input validation

Defensive checking of input data to ensure that it is of a valid format that will be correctly processed downstream.

Integration testing

Software testing of multiple components operating together. (Cf. Unit testing)

Integrity

The fundamental information security property of maintaining data accurately, or only allowing authorized modification and deletion. (Component of C-I-A)

Key

A parameter to a cryptographic algorithm that determines how the data is transformed. (See Private key, Public key)

Keyed hash function

See Hash message authentication code (HMAC).

Key exchange

A protocol for two communicants to establish a secret key that is secure even if the content of all messages exchanged is revealed to an attacker.

Message authentication code (MAC)

Data accompanying a message as evidence that it is authentic and has not been tampered with. (Cf. Hash message authentication code)

Message digest

See Digest.

Mitigation

A preemptive countermeasure to prevent a potential attack or reduce its harm, such as by minimizing damage, making the attack recoverable, or making it easily detectable.

Nonce

An arbitrary number used once, such as in a communications protocol to prevent replay attacks.

One-time pad

A shared secret key for message encryption that can only be used once because reuse weakens its security.

Overflow

The incorrect result of an arithmetic instruction when the value exceeds the capacity of the variable. When overflow happens undetected, it often results in a vulnerability by introducing unexpected results.

Path traversal

A common vulnerability where malicious input injects unexpected content into a filesystem path that allows it to designate files outside the bounds of intended access.

Plaintext

The original message before encryption, or after decryption by the intended recipient.

Preimage attack

An attack on a message digest function attempting to find an input value that produces a specific message digest value.

Principal

An authenticated agent: a person, business, organization, application, service, or device.

Private key

A parameter needed for decryption, kept secret by the authorized recipient.

Provenance

A reliable history of the origin and chain of custody, providing confidence in the validity of data.

Pseudo-random number generator (PRNG)

A “pretty good” random number generator that is vulnerable to prediction by sophisticated analysis. These random numbers are useful for many purposes, such as simulations, but are unsuitable for cryptography because they are not sufficiently random. (Cf. Cryptographically secure pseudo-random number generator)

Public key

A widely known parameter needed to encrypt a message for a particular recipient.

Random number

An arbitrarily chosen number that cannot be reliably predicted.

Rate limiting

A method of slowing down a process, commonly used to mitigate attacks that rely on brute-force repetition to succeed.

Replay attack

Attacking an secure communication protocol by resending previous authentic messages. A replay attack succeeds if an attacker resends a copy of a previous authentic communication that is mistaken as a subsequent identical message sent by the original sender.

Reproducibility

An assessment of how reliably the exploitation of a specific vulnerability will work over a number of repeated attempts. (Component of DREAD)

Repudiation

Plausible deniability for actions, specifically allowing an attacker to evade responsibility. (Component of STRIDE)

Root certificate

The self-signed digital certificate authorizing trust in a certificate authority.

Same Origin Policy (SOP)

A set of restrictions enforced by web clients to limit access between different windows of different websites.

Sandbox

A restricted execution environment designed to limit the maximum privilege available to code executing within it.

Security design review (SDR)

A structured review of the security of a software design.

Security hat

An expression for intentionally focusing with a security mindset to think about how things might go wrong.

Security regression

The recurrence of a known security bug that was previously fixed.

Security test case

A software test case that checks that a security control is properly enforced.

Security testing

Software testing to ensure that security controls work properly.

Side channel attack

An attack that deduces confidential information indirectly, as opposed to by directly defeating protection mechanisms. For example, reliably deducing knowledge of the results of a computation from the time delay to produce the result.

Speculative execution

The optimization method used in modern processors whereby future instructions are executed early to potentially save time, with backtracking logic to discard results later if unneeded. The impact of speculative execution on the cache state potentially leaks information not otherwise accessible, making it a security threat.

Spoofing

The subversion of authentication where an attacker pretends to be an authorized principal. (Component of STRIDE)

SQL injection

A vulnerability allowing an attacker to craft malicious inputs to run arbitrary SQL commands.

STRIDE

An acronym for the six basic kinds of software security threats, useful to guide threat modeling. (See Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege)

Symmetric encryption

An encryption method where the same key is used to encrypt or decrypt. The symmetry is that anyone who can encrypt can also decrypt. (Cf. Asymmetric encryption)

Tainting

A process of tracing the origin of data through software used to mitigate untrusted inputs, or data influenced by those inputs, from being used in privileged operations such as for an injection attack.

Tampering

The unauthorized modification of data. (Component of STRIDE)

Threat

A potential or hypothetical security problem.

Threat actor

See Attacker.

Threat modeling

Analysis of the model of a system used to identify threats needing mitigation.

Timing attack

A side channel attack where information can be inferred from measuring the timing of an operation.

Trust

The choice to rely on a principal or component without recourse in the event of a failure to protect.

Underflow

Lost precision in the result of a floating-point computation.

Unit testing

Software testing of individual modules in isolation from other components.

Untrusted input

Input data originating from untrusted sources, in particular from a potential attack surface.

Vulnerability

A software flaw that makes a security attack possible.

Vulnerability chain

A collection of vulnerabilities that, when combined, constitute a security attack.

Weakness

A bug that causes fragility and hence may be a vulnerability.