Glossary

PRODUCT SECURITY TERMINOLOGIES & GLOSSARY

This comprehensive glossary provides clear definitions and explanations of essential terms used in product security, from vulnerability assessments to threat modeling. Whether you’re a security professional, developer, or product manager, these definitions will help you navigate complex security concepts and communicate effectively with your team.

A

API Security The practice of protecting Application Programming Interfaces (APIs) from attacks and ensuring they handle data securely. Includes authentication, authorization, rate limiting, and input validation.

Application Security (AppSec) The process of making applications more secure by finding, fixing, and preventing security vulnerabilities during the development and deployment phases.

Application Security Testing (AST) Automated and manual testing methods to identify security vulnerabilities in applications, including SAST, DAST, and IAST approaches.

Attack Surface The sum of all possible entry points where an unauthorized user can attempt to exploit vulnerabilities in a product or system.

Attack Vector A specific path or method used by attackers to gain unauthorized access to a system or exploit a vulnerability.

Automated Security Testing The use of tools and scripts to automatically identify security vulnerabilities without manual intervention, typically integrated into CI/CD pipelines.

B

Blue Team The defensive security team responsible for protecting systems and detecting attacks, often contrasted with red teams who simulate attacks.

Bug Bounty Program A crowd-sourced security testing approach where organizations offer rewards to external researchers who discover and report security vulnerabilities.

Business Logic Vulnerability Security flaws that arise from errors in the design and implementation of business rules and workflows, rather than technical coding errors.

C

Code Review The systematic examination of source code to identify security vulnerabilities, bugs, and adherence to secure coding standards.

Common Vulnerability Scoring System (CVSS) A standardized method for rating the severity of security vulnerabilities on a scale from 0 to 10.

Common Vulnerabilities and Exposures (CVE) A publicly accessible database of known security vulnerabilities identified by unique identifiers.

Compliance Adherence to regulatory requirements, industry standards, and organizational policies related to security and privacy.

Container Security Security practices and tools specifically designed to protect containerized applications and their runtime environments.

Continuous Security The integration of security practices throughout the entire development lifecycle, ensuring ongoing protection rather than point-in-time assessments.

Cross-Site Request Forgery (CSRF) An attack where malicious websites trick users into performing unintended actions on applications where they’re authenticated.

Cross-Site Scripting (XSS) A vulnerability that allows attackers to inject malicious scripts into web applications, which then execute in users’ browsers.

D

Data Loss Prevention (DLP) Technologies and processes designed to detect and prevent unauthorized transmission of sensitive data outside an organization.

Dependency Management The practice of tracking, updating, and securing third-party libraries and components used in product development.

DevSecOps The integration of security practices into DevOps workflows, emphasizing security as a shared responsibility throughout development.

Dynamic Application Security Testing (DAST) Security testing performed on running applications to identify vulnerabilities that manifest during execution.

E

Encryption The process of converting data into a coded format to prevent unauthorized access, using algorithms and keys to protect information.

Endpoint Security Protection of devices (computers, mobile devices, servers) that connect to a network from security threats.

Exploit A piece of code or technique that takes advantage of a security vulnerability to gain unauthorized access or cause harm.

F

False Negative A scenario where a security system fails to detect and alert a malicious or problematic activity, leading to hidden issues.

False Positive A security alert that incorrectly identifies benign activity as malicious or problematic, leading to unnecessary investigation.

Fuzzing An automated testing technique that provides invalid, unexpected, or random data to applications to discover security vulnerabilities.

G

GitHub Security Security features and practices for protecting source code repositories, including secret scanning, dependency analysis, and access controls.

Guardrails Automated security controls and policies built into development workflows and CI/CD pipelines to prevent security issues from reaching production while allowing developers to work efficiently.

Governance, Risk & Compliance (GRC) Framework for managing security governance, risk assessment, and regulatory compliance across product development and operations.

Gray Box Testing Security testing approach that combines elements of both black box and white box testing, where testers have limited knowledge of the system’s internal workings.

H

Hardening The process of securing a system by reducing its attack surface through configuration changes, removing unnecessary services, and applying security controls.

HoneyPot Decoy system designed to attract and detect attackers while gathering intelligence about attack methods.

Header Injection Attack technique that exploits improper validation of HTTP headers to inject malicious content.

Hijacking Unauthorized takeover of sessions, connections, or communications (e.g., session hijacking, DNS hijacking).

I

Identity and Access Management (IAM) Systems and processes for managing user identities and controlling access to resources based on user roles and permissions.

Incident Response The organized approach to addressing and managing security breaches or attacks to limit damage and reduce recovery time.

Infrastructure as Code (IaC) Security Security practices for protecting automated infrastructure provisioning and configuration scripts from vulnerabilities.

Input Validation The process of ensuring that data received by an application is properly formatted, within expected parameters, and safe to process.

Interactive Application Security Testing (IAST) Security testing that monitors applications during runtime using instrumented code to identify vulnerabilities.

Intrusion Detection System (IDS) A security tool that monitors network or system activities for malicious behavior and policy violations.

J

JSON Web Token (JWT) A compact, URL-safe means of representing claims to be transferred between two parties, commonly used for authentication.

JSON Hijacking An attack technique that exploits vulnerabilities in how web applications handle JSON data responses.

Just in Time (JIT) Access A security principle that provides temporary, time-limited access to resources only when needed, reducing the attack surface.

K

Key Management The administration of cryptographic keys throughout their lifecycle, including generation, distribution, storage, rotation, and destruction.

L

Least Privilege A security principle where users and systems are granted the minimum levels of access necessary to perform their functions.

Log Management The collection, analysis, and storage of system logs to detect security incidents and maintain audit trails.

M

Malware Malicious software designed to damage, a new directory for the resources pages, as requested by the user.d disrupt, or gain unauthorized access to computer systems, including viruses, worms, and ransomware.

Multi-Factor Authentication (MFA) A security method requiring users to provide two or more verification factors to gain access to resources.

N

Network Security The practice of protecting computer networks from intrusions, attacks, and unauthorized access through various security measures.

OAuth An open standard for access delegation, commonly used for token-based authentication and authorization in web applications.

Open Source Security Security practices and considerations for using, contributing to, and managing open-source software components.

OWASP The Open Web Application Security Project, a nonprofit organization focused on improving software security through tools, standards, and education.

OWASP Top 10 A regularly updated list of the most critical web application security risks, serving as a baseline for application security.

P

Patch Management The process of identifying, acquiring, testing, and installing updates to fix security vulnerabilities and bugs in software.

Penetration Testing Authorized simulated attacks on systems to identify security vulnerabilities and assess the effectiveness of security controls.

Product Security Incident Response Team (PSIRT) A dedicated team responsible for coordinating the response to security vulnerabilities discovered in products.

Principle of Least Privilege A security concept where access rights are limited to the minimum permissions necessary for users to perform their job functions.

Q

Quality Assurance (QA) Security Integration of security testing and validation into quality assurance processes to ensure products meet security standards.

R

Red Team A group that simulates real-world attacks to test an organization’s security defenses and incident response capabilities.

Risk Assessment The systematic process of identifying, analyzing, and evaluating security risks to determine their potential impact and likelihood.

Runtime Application Self-Protection (RASP) Security technology that integrates into applications to detect and block attacks in real-time.

S

Secure Code Review The process of auditing source code to identify security vulnerabilities and ensure adherence to secure coding practices.

Secure Development Lifecycle (SDLC) A software development methodology that integrates security considerations into every phase of development.

Security by Design The approach of building security considerations into products from the initial design phase rather than adding them later.

Security Configuration Management The practice of maintaining secure configurations across systems and applications to prevent security vulnerabilities.

Security Information and Event Management (SIEM) Technology that provides real-time analysis of security alerts generated by network hardware and applications.

Security Orchestration, Automation and Response (SOAR) Platforms that enable organizations to collect security threat data and respond to security events.

SQL Injection A code injection technique where malicious SQL statements are inserted into application entry points to attack data-driven applications.

Static Application Security Testing (SAST) Analysis of source code to identify security vulnerabilities without executing the program.

Supply Chain Security Protection of the end-to-end process of creating and distributing products, including all vendors, suppliers, and dependencies.

T

Threat Intelligence Information about current and potential security threats, including indicators of compromise and attack patterns.

Threat Modeling A structured approach to identifying potential security threats and vulnerabilities in a system or application design.

Two-Factor Authentication (2FA) A security process requiring users to provide two different authentication factors to verify their identity.

U

User Authentication The process of verifying the identity of users attempting to access systems or applications.

User Authorization The process of determining what actions and resources an authenticated user is permitted to access.

V

Vulnerability A security flaw or weakness in a system that could be exploited by threats to gain unauthorized access or cause harm.

Vulnerability Assessment The systematic review of security weaknesses in an information system to determine exposure to threats.

Vulnerability Management The ongoing process of identifying, classifying, prioritizing, and resolving security vulnerabilities.

Vulnerability Scanner Automated tools that identify security vulnerabilities in systems, applications, and network configurations.

W

Web Application Firewall (WAF) A security solution that filters, monitors, and blocks HTTP traffic to and from web applications.

Web Application Security Specialized security practices focused on protecting web-based applications from various attack vectors and vulnerabilities.

X

XML External Entity (XXE) An attack that targets applications that parse XML input, potentially leading to disclosure of confidential data or server-side request forgery.

Y

YAML Security Security considerations and best practices for YAML configuration files, including injection prevention and secure parsing.

Z

Zero-Day Vulnerability A previously unknown security vulnerability that has no available patch or fix, making systems vulnerable to exploitation.

Zero Trust A security model that assumes no implicit trust and continuously validates every transaction and access request, regardless of location or user credentials.

This glossary is designed to help product teams, developers, security professionals, and stakeholders understand essential product security terminology. For the most current definitions and emerging terms, consult industry standards organizations and security frameworks.