Glossary of Terms


Agile Development— An alternative to traditional software development methodology that helps teams respond to unpredictability with cyclical, incremental, and iterative work cadences. Compare with Waterfall Methodology.

Application Programming Interface (API)—  A system of tools that define how one application or module can access another.

Application Security (AppSec) The use of technology, processes, and people to protect software. This includes improving the quality of the software, training, and tools to test.

Application Security Testing — Tests performed on a software application to identify potential vulnerabilities or other risk and includes Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Interactive Application Security Testing (IAST), among others.

Arithmetic errors – A programming error that produces calculation results greater in magnitude than what a given register or storage location can contain or represent.

Array overruns – Software flaws similar to buffer overruns.

Attack Surface— A collection of vulnerable points that may be attacked and potentially penetrated. See threat surface.

Attack Vector A pathway through which an attacker can exploit a vulnerability.

Automotive Safety Integrity Level (ASIL) --A risk classification scheme used by the automotive industry and defined by ISO 26262 - Functional Safety for Road Vehicles standard.


Backdoor— A programming way of bypassing an established authentication or security process to obtain access to a network or asset.

Binary Code – This is code that has been compiled into a binary format so that a computer can read and execute it. Not human readable.  Compare with Source Code.

Bill of Materials (BOM) -- For software, this is a list of third-party code components inside a software package, or firmware.

Black Box— A reference to analysis or testing with little or no prior knowledge of the target system.  Compare with White Box.

Black Hat— A hacker who attempts to gain unauthorized access to a computer or computer network or data asset.  Compare with White Hat.

Buffer Overflow / Buffer Overrun— A programming error caused by the use of carefully crafted data that overflows the allotted areas of memory and could as a result potentially alter existing code or executing new code. The programming languages C and C++ provide no native protection against accessing or overwriting data in any part of memory are most susceptible. Bounds checking in these languages may help prevent buffer overflows

Bug— A software problem or defect in code at the implementation level.  Compare with Flaw.


CAN Bus – An automotive standard that allows microcontrollers and devices to communicate with each other without the use of an operating system.

Container Security – Containers provide an isolated, discrete, and separate environment for applications in  Cloud Computing.  Containers only contain what is necessary to run the given app hence the nickname JeOS, or "Just enough OS".

Cloud Computing— A pool of shared configurable resources such as networks, storage appliances, software applications, and services.

Code Coverage: The amount of source to be code tested by a specific test suite.  High code coverage tests more of the code than low code coverage.

Code decay – A process by which an application gradually deteriorates over time as a result individual components becoming more and more vulnerable.

Component – An individual item in a Bill of Materials report.

Concurrency bugs – A programming property where several computations are executing simultaneously, some with errors.

Continuous Integration/Continuous Delivery (CI/CD)— The process of merging all developer working copies of code to a shared main software library several times a day. This is done to ensure that an application can released into production quickly.

Cross-Site Scripting (XSS)— An attack on an application where malicious executable scripts are injected into a trusted application or website.

Common Vulnerabilities and Exposures (CVE): From the MITRE corporation, a publicly available dictionary of common names for publicly known information security vulnerabilities in the form year of disclosure and assigned number, example CVE 2016-0345.

Common Weakness Enumeration (CWE): From the MITRE corporation, a publically available dictionary of common software coding flaws that can may lead to vulnerabilities.

Cost -- The total cost of the impact to an organization as the result of a particular threat experienced by a vulnerable target. Part of the assessment equation Risk = Threat x Vulnerability x Cost.   Compare with Risk.

Cybersecurity— The protection of information systems, particularly software, from attack or damage.

Cyberthreat – A possible but not actual malicious attempt to damage or disrupt a computer system.


Data Breach / Data Leak— Unauthorized access to or exposure of sensitive information.

Dead Code – A programming term for code that is executed but never used by any other computation, wasting computation cycles and potentially consuming memory.

Defect— A software problem that may not cause any harm, even if exploited by attackers. Bugs and flaws are both defects.

DevOps – A shortened phrase for the relationship between software developers and IT operations.

Denial of Service (DoS)— A localized disruption of a compromised computer system that may include a software crash.

Distributed Denial of Service (DDoS) – A coordinated disruption of legitimate access to a specific online service involving more than one compromised computer system often via a botnet.

Division by Zero – A programming error that can, when a computer attempts to divide by 0, provide a cascade effect, stopping code from executing. This is especially true in some languages such as C or C++. In Java, division by zeros are thrown to exceptions.

Dynamic Analysis— A method of testing that involves executing the code in realtime. Compare with Static Analysis.

Dynamic Application Security Testing (DAST): Testing that can reveal a security vulnerability in an application in its running state.


Electronic Control Unit (ECU): An embedded system that controls one or more of the electrical system or subsystems in a motor vehicle, often to control a specific function such as brakes or the engine.

Electronic Design Automation (EDA) - Software tools for the design of electronic systems such as printed circuit boards and integrated circuits.

Encryption— The process of transforming plaintext (human readable) into indecipherable data (ciphertext) through use of an algorithm and a key.

Encryption Key— A string of bits used by both the sender and the receiver of an encrypted message for locking and unlocking the contents.

Exploit— The execution of a vulnerability that results in a security compromise.


Failure Mode and Effects Analysis (FMEA)— One of the first system techniques for failure analysis within systems, used in the automotive industry.

False Negative— A real vulnerability not found during security testing and therefore implying that the code is clean when it is not.

False Positive— A reported vulnerability that is not in fact a vulnerability.

Fault Injection: A technique for improving the coverage of a test by introducing faults to test code paths, in particular error handling code paths, that might otherwise rarely be followed

File Transfer Protocol (FTP)— A network protocol that defines how to transfer data from one computer system to another.

Flaw – A software problem in the design-level or an architectural defect.

Free Open Source software (FOSS) –  Software were the source code is publically available and free. See Open Source Software.

Fuzz Testing – A software testing method where malformed input is used to trigger a software crash or unexpected result.


GRC (governance, risk management, and compliance) – A common enterprise term where Governance is established and executed by the board of directors (BOD) toward achieving specific goals. Risk management is anything that may hinder the organization ability to achieve its objectives. And Compliance ensures that the company's policies and procedures, laws and regulations, strong and efficient governance contribute to an organization's overall success.


Hacker – Someone who takes something apart. Commonly, a computer hacker who attempts to deconstruct code or network traffic to learn more about it.  Compare with Black Hat and White Hat.


Injection Attack—  A specially crafted input that triggers an exploitation of a software or computer vulnerability most often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, and program arguments. Can be detected by fuzz testing.

Integrated Development Environment (IDE) – A software application that provides comprehensive facilities such as a source code editor, build automation tools and a debugger for software development.

Infosec – A shortening of "information security" that is commonly used to describe all aspects of computer security.

Information Sharing and Analysis Organization (ISAO) – A group formed to gather, analyze and disseminate critical information as outlined in Presidential Policy Directive 21. They are different from ISACs in that they are not tied directly to critical infrastructure sectors.

Interactive Application Security Testing (IAST):  A testing methodology that combines Static Analysis Security Testing (SAST) and Dynamic Application Security Testing (DAST) into an interactive process using agents to monitor the runtime security of an application.

Internet of Things (IoT)— Non-computer devices that possess software, computational resources, and also share data such as cars, sensors, appliances, etc.


Jailbreaking— The act of removing protections put in place by Apple devices running iOS, allowing rogue code to be downloaded and executed on a device. Compare with Root.

Java – A programming language that is concurrent, class-based, object-oriented

JavaScript — A programming language that is object-oriented, cross-platform, and used in Web pages to execute client-side functions within a Web browser.


Malicious Code — Specially crafted code that is designed to cause undesirable effects in a software system.

Malware— Shortened combination of “malicious software.” See Malicious Code.

Man-in-the-Middle (MitM) Attack— An act of electronic eavesdropping where an attacker sits in the middle of an existing communication or acts as a relay between the victim and its target, possibly altering the contents of the communication.

Memory Leaks – A programming failure to release discarded memory which could lead to performance failure.

Mitigation— The act of reducing the impact of a vulnerability discovered by security testing. Compare with Remediation.


National Institute of Standards and Technology (NIST)— A federal technology agency that is tasked with working with industries to develop and apply technology, measurements, and standards.

National Vulnerability Database (NVD) – A NIST database that maintains security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

Network Security— The process of preventing unauthorized activity across a computer infrastructure or network.

Node.js – A open-source, cross-platform runtime environment used for developing server-side Web applications.

Null Pointer Bugs –  A programming term for dangling or wild pointers that do not point to a valid object, producing unpredictable behavior.


Open Source Software (OSS)— Publically available source code available for use, modification, and distribution.

OpenSSL— An open source implementation of the SSI and TLS protocols.

OWASP— Open Web Application Security Project.

OWASP Top Ten— An OWASP listing of the most critical Web application security vulnerabilities.


Payment Card Industry Council (PCI) – An industry self-regulating organization formed by Visa, MasterCard, American Express, Discover, and JCB to improve the security of credit card practices.

Payment Card Industry Data Security Standard (PCI- DSS) – A set of best practices designed for organizations that handled credit card data.

Production Part Approval Process (PPAP):  An automotive supply chain process for establishing confidence in component suppliers and their production processes.

Procurement Language – A set of expectations set forth by the acquirer when obtaining third-party components or software.

Python – A general-purpose, interpreted, dynamic programming language that was in fact named after Monty Python.


Remediation— The process of fixing a vulnerability discovered in a security test. Compare with Mitigation.

Requirement (Software)— A description of functional or non-functional needs that must be met by software, often used during procurement.

Risk – Risk assessment is a combination of Threat, Vulnerability, and Cost.  If any of these are 0, then the risk is 0.  Risk = Threat x Vulnerability x Cost

Rooting - The act of removing protections put in place by Android devices, allowing rogue code to be downloaded and executed on a device. Compare with Jailbreaking.

Ruby – An object-oriented, general programing language influenced by Perl, Smalltalk, Eiffel, Ada, and Lisp.

Runtime Application Self-Protection (RASP)— An application security approach so that attacks are monitored as they execute in realtime, and therefore are also blocked in realtime.


SANS Institute – This is the common business name of the Escal Institute Of Advanced Technologies, Inc. and provides infosec training and awareness.

SANS Top 25 – Top 25 software vulnerabilities as identified by the SANS Institute.

Signoff – A process of gating software development so that code is tested throughout the software development lifecycle and not only at the very end.

Smart Grid— A computerized electrical grid with sensors and devices that interoperate.

Social Engineering — A low-tech attack strategy that uses human impersonation to bypass security controls.

Software Maturity Model— A process used to analyze maturity in a given business process, in this case software development.

Software as a Service (SaaS)— A process that uses the cloud to host third-party applications over the internet.

Software Development Life Cycle (SDLC)— A structured framework for defining activities throughout the software development process.

Source Code -- The raw, uncompiled code itself, readable by a human. To use it, source code must first be compiled on your machine.  Compare with Binary Code.

SQL Injection— A type of injection attack against SQL-based applications that may often result in execution of arbitrary commands at a highly privileged level.

Static Analysis— A testing method that identifies quality and security flaws and vulnerabilities without executing the code in a runtime environment. Compare with DAST, IAST, and SAST.

Static Application Security Testing (SAST) – A testing analysis of an application's source code to identify vulnerabilities without execution. Compare with DAST, IAST, and Static Analysis.


Taint Checking – A feature found in programming languages such as Perl and Ruby that is designed to prevent malicious code from executing on a computer. Taint specifically applies to web sites compromised through SQL or buffer overflows.

Test-Driven Development (TDD): A process for designing software components so that their behavior is define through unit tests.

Threat— A combination of actors, objectives and motivations that can bypass security controls and exploit a vulnerability to achieve a goal undesirable to the system owners such as a data breach.  A combination of threat, vulnerability, and controls, part of the assessment equation Risk = Threat x Vulnerability x Cost.   Compare with Risk.

Threat Actor— Typically one or more human beings with motives to inflict harm on a computer system.

Threat Modeling— A security analysis that considers threat agents, skill, motivation, attack surface, attack vectors, discoverability, probability, impact, and mitigation, among other aspects to perform a risk analysis.

Trojan— A type of malicious software (malware) that appears to perform one task but may in fact perform another, more malicious task in the background.


Unit Testing: The process of analyzing each unit of software code separately.

Unsafe System Call— Any call into a kernel that causes the CPU of a system to become un-responsive.


Virus— A malicious software program that cannot spread on its own but requires a user to install or execute it to spread to other resources or systems.

Vulnerability— Any flaw in software that may or may not be exploited. Also part of the assessment equation Risk = Threat x Vulnerability x Cost.   Compare with Risk.


Waterfall Model— A structured, sequential software development process that proceeds downward through different phases such as Requirements, Architecture, Design, Code, Test, Deployment, and Operations. Compare with Agile.

Web Application (Web App)— A client-server application run in a web browser.

White Box— A test with full information about the target system available for analysis. Compare with Black Box.

White Hat— A hacker with permission to take apart or otherwise gain access to sensitive assets on a network for non-malicious reasons. Compare with Black Hat.

Worm— A malicious software program that self-replicates and spreads throughout a computer network or system by scanning and exploiting vulnerabilities.