This comprehensive glossary provides clear definitions and explanations of essential terms used in product security, from vulnerability assessments to threat modeling. Whether you're a security professional, developer, or product manager, these definitions will help you navigate complex security concepts and communicate effectively with your team.
The practice of protecting Application Programming Interfaces (APIs) from attacks and ensuring they handle data securely. Includes authentication, authorization, rate limiting, and input validation.
The process of making applications more secure by finding, fixing, and preventing security vulnerabilities during the development and deployment phases.
Automated and manual testing methods to identify security vulnerabilities in applications, including SAST, DAST, and IAST approaches.
The sum of all possible entry points where an unauthorized user can attempt to exploit vulnerabilities in a product or system.
A specific path or method used by attackers to gain unauthorized access to a system or exploit a vulnerability.
The use of tools and scripts to automatically identify security vulnerabilities without manual intervention, typically integrated into CI/CD pipelines.
The defensive security team responsible for protecting systems and detecting attacks, often contrasted with red teams who simulate attacks.
A crowd-sourced security testing approach where organizations offer rewards to external researchers who discover and report security vulnerabilities.
Security flaws that arise from errors in the design and implementation of business rules and workflows, rather than technical coding errors.
The systematic examination of source code to identify security vulnerabilities, bugs, and adherence to secure coding standards.
A standardized method for rating the severity of security vulnerabilities on a scale from 0 to 10.
A publicly accessible database of known security vulnerabilities identified by unique identifiers.
Adherence to regulatory requirements, industry standards, and organizational policies related to security and privacy.
Security practices and tools specifically designed to protect containerized applications and their runtime environments.
The integration of security practices throughout the entire development lifecycle, ensuring ongoing protection rather than point-in-time assessments.
An attack where malicious websites trick users into performing unintended actions on applications where they're authenticated.
A vulnerability that allows attackers to inject malicious scripts into web applications, which then execute in users' browsers.
Technologies and processes designed to detect and prevent unauthorized transmission of sensitive data outside an organization.
The practice of tracking, updating, and securing third-party libraries and components used in product development.
The integration of security practices into DevOps workflows, emphasizing security as a shared responsibility throughout development.
Security testing performed on running applications to identify vulnerabilities that manifest during execution.
The process of converting data into a coded format to prevent unauthorized access, using algorithms and keys to protect information.
Protection of devices (computers, mobile devices, servers) that connect to a network from security threats.
A piece of code or technique that takes advantage of a security vulnerability to gain unauthorized access or cause harm.
A scenario where a security system fails to detect and alert a malicious or problematic activity, leading to hidden issues.
A security alert that incorrectly identifies benign activity as malicious or problematic, leading to unnecessary investigation.
An automated testing technique that provides invalid, unexpected, or random data to applications to discover security vulnerabilities.
Security features and practices for protecting source code repositories, including secret scanning, dependency analysis, and access controls.
Automated security controls and policies built into development workflows and CI/CD pipelines to prevent security issues from reaching production while allowing developers to work efficiently.
Framework for managing security governance, risk assessment, and regulatory compliance across product development and operations.
Security testing approach that combines elements of both black box and white box testing, where testers have limited knowledge of the system's internal workings.
The process of securing a system by reducing its attack surface through configuration changes, removing unnecessary services, and applying security controls.
Decoy system designed to attract and detect attackers while gathering intelligence about attack methods.
Attack technique that exploits improper validation of HTTP headers to inject malicious content.
Unauthorized takeover of sessions, connections, or communications (e.g., session hijacking, DNS hijacking).
Systems and processes for managing user identities and controlling access to resources based on user roles and permissions.
The organized approach to addressing and managing security breaches or attacks to limit damage and reduce recovery time.
Security practices for protecting automated infrastructure provisioning and configuration scripts from vulnerabilities.
The process of ensuring that data received by an application is properly formatted, within expected parameters, and safe to process.
Security testing that monitors applications during runtime using instrumented code to identify vulnerabilities.
A security tool that monitors network or system activities for malicious behavior and policy violations.
A compact, URL-safe means of representing claims to be transferred between two parties, commonly used for authentication.
An attack technique that exploits vulnerabilities in how web applications handle JSON data responses.
A security principle that provides temporary, time-limited access to resources only when needed, reducing the attack surface.
The administration of cryptographic keys throughout their lifecycle, including generation, distribution, storage, rotation, and destruction.
A security principle where users and systems are granted the minimum levels of access necessary to perform their functions.
The collection, analysis, and storage of system logs to detect security incidents and maintain audit trails.
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems, including viruses, worms, and ransomware.
A security method requiring users to provide two or more verification factors to gain access to resources.
The practice of protecting computer networks from intrusions, attacks, and unauthorized access through various security measures.
An open standard for access delegation, commonly used for token-based authentication and authorization in web applications.
Security practices and considerations for using, contributing to, and managing open-source software components.
The Open Web Application Security Project, a nonprofit organization focused on improving software security through tools, standards, and education.
A regularly updated list of the most critical web application security risks, serving as a baseline for application security.
The process of identifying, acquiring, testing, and installing updates to fix security vulnerabilities and bugs in software.
Authorized simulated attacks on systems to identify security vulnerabilities and assess the effectiveness of security controls.
A dedicated team responsible for coordinating the response to security vulnerabilities discovered in products.
A security concept where access rights are limited to the minimum permissions necessary for users to perform their job functions.
Integration of security testing and validation into quality assurance processes to ensure products meet security standards.
A group that simulates real-world attacks to test an organization's security defenses and incident response capabilities.
The systematic process of identifying, analyzing, and evaluating security risks to determine their potential impact and likelihood.
Security technology that integrates into applications to detect and block attacks in real-time.
The process of auditing source code to identify security vulnerabilities and ensure adherence to secure coding practices.
A software development methodology that integrates security considerations into every phase of development.
The approach of building security considerations into products from the initial design phase rather than adding them later.
The practice of maintaining secure configurations across systems and applications to prevent security vulnerabilities.
Technology that provides real-time analysis of security alerts generated by network hardware and applications.
Platforms that enable organizations to collect security threat data and respond to security events.
A code injection technique where malicious SQL statements are inserted into application entry points to attack data-driven applications.
Analysis of source code to identify security vulnerabilities without executing the program.
Protection of the end-to-end process of creating and distributing products, including all vendors, suppliers, and dependencies.
Information about current and potential security threats, including indicators of compromise and attack patterns.
A structured approach to identifying potential security threats and vulnerabilities in a system or application design.
A security process requiring users to provide two different authentication factors to verify their identity.`
The process of verifying the identity of users attempting to access systems or applications.
The process of determining what actions and resources an authenticated user is permitted to access.
A security flaw or weakness in a system that could be exploited by threats to gain unauthorized access or cause harm.
The systematic review of security weaknesses in an information system to determine exposure to threats.
The ongoing process of identifying, classifying, prioritizing, and resolving security vulnerabilities.
Automated tools that identify security vulnerabilities in systems, applications, and network configurations.
A security solution that filters, monitors, and blocks HTTP traffic to and from web applications.
Specialized security practices focused on protecting web-based applications from various attack vectors and vulnerabilities.
An attack that targets applications that parse XML input, potentially leading to disclosure of confidential data or server-side request forgery.
Security considerations and best practices for YAML configuration files, including injection prevention and secure parsing.
A previously unknown security vulnerability that has no available patch or fix, making systems vulnerable to exploitation.
A security model that assumes no implicit trust and continuously validates every transaction and access request, regardless of location or user credentials.
This glossary is designed to help product teams, developers, security professionals, and stakeholders understand essential product security terminology. For the most current definitions and emerging terms, consult industry standards organizations and security frameworks.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.